cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 31 of 164

Re: Windows Defender and 10.6.1 JULY after Reboot ACTIVE (DUAL AV, Performance down)

How to check whether Windows Defender is disabled after installing Endpoint Security Threat Prevention

Technical Articles ID:   KB88214
Last Modified:  7/19/2018
Rated:
 
 
 
 
 

Environment
McAfee Endpoint Security (ENS) Threat Prevention 10.x
Summary
As per the Windows Anti-Malware agreement, McAfee is not supposed to uninstall Windows Defender on Windows systems. We integrate with Windows Action Center (WAC) and when WAC sees that ENS Threat Prevention is installed, it disables Windows Defender.

Perform the following steps to check whether Windows Defender is disabled after installing ENS Threat Prevention:
  1. Open the Control Panel and check the status of Windows Defender.
  2. Check the status of the Windows Defender services:
    1. Press CTRL+ALT+DEL, and then select Task Manager.
    2. Click the Services tab.
    3. Check the status of the following services:
       
      Windows Defender Network Inspection Service
      Windows Defender Service
The Control Panel should show that Windows Defender is disabled and the Windows Defender services should be stopped. If the Windows Defender services are stopped, but the Control Panel is showing that Windows Defender is enabled, it is a system issue.

 

Re: Windows Defender and 10.6.1 JULY after Reboot ACTIVE (DUAL AV, Performance down)

ENS and WDA are definitely running concurrently:

Annotation 2019-09-05 114211.jpg

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 33 of 164

Re: Windows Defender and 10.6.1 JULY after Reboot ACTIVE (DUAL AV, Performance down)

The clients of the customer having the effrct use following ISO:

 

SW_DVD5_WIN_ENT_LTSC_2019_64-bit_German_MLF_X21-96437.ISO

 

W10

Enterprise

LTSC

2019

64BIT

GERMAN

REFRESH

VL

 

Highlighted
JayMan
Level 10
Report Inappropriate Content
Message 34 of 164

Re: Windows Defender and 10.6.1 JULY after Reboot ACTIVE (DUAL AV, Performance down)

Something interesting I've found while trying to collect additional logs for support... I can't reproduce the error while ENS is set for debug logging & full access to client interface.

 

Still need to test which of these 2 setting makes the diffedence (or both?).

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 35 of 164

Re: Windows Defender and 10.6.1 JULY after Reboot ACTIVE (DUAL AV, Performance down)

Ah so it's 4 people (CUSTOMERS) working now for Mcafee to solve their product bug?

What's that called social support? How about social pricing?

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 36 of 164

WINDOWS DEFENDER + ENS 10.6.1 + W10 LTSC 2019 ENT GER 64BIT VL problem AMSI

Hello,

We have found the PART which makes it:

It's the AMSI Option. 

 

All we know at 14:28 O'Clock 09.09.2019

* ISO: SW_DVD5_WIN_ENT_LTSC_2019_64-bit_German_MLF_X21-96437.ISO

* Fresh install from ISO ESX 6.5, E1000, No VMWARE Tool, Domain JOINED, NO GPO, NO other soft

* Reboot

* OK >Windows Defender Services UP

* Push Agent 5.6.1.308 > Reboot (Client IN NEW OU in EPO with Default Mcafee Policy)

* OK > Windows Defender Services UP

* Push ENS 10.6.1 (Plattform, Exploit + ATP Module [No Firewall Module]) > Reboot

* OK > Windows Defender Services DOWN (Except Firewall) > OK

* Assign Stepwise Policy from Productive

* When we APPLY Policy ON-ACCES-SCAN and ENABLE AMSI BOX the effect comes

* ERROR > Windows Defender Services UP (Except Firewall) > OK

* ERROR > Warning from W10

 

Now to NOT complete MISSUNDERSTAND and Maybe it should be like that? But nobody told all the people who had cases open?

Now when AMSI is working or AMSI is enabled should the Service "Windows Defender Antivirus Service" be running or NOT?? (Can it RUN and then TURN off). Is this by feature and how it should be?

On the machines WE HAD the effect this ONLY showed UP shortly after Reboot BUT then slowing down logon and GPO extreme.

It happens if you have the AMSI report only or sharp/active.

2019-09-09 14_25_26-local - visionapp Remote Desktop 2010.png

 

 

 

 

 

 

JayMan
Level 10
Report Inappropriate Content
Message 37 of 164

Re: WINDOWS DEFENDER + ENS 10.6.1 + W10 LTSC 2019 ENT GER 64BIT VL problem AMSI

We have AMSI on (enforced, not obvserve), but not sure its a factor. AMSI quite possibly does rely on the Defender service itself as it stems from Windows functionality (basically windows passes the script from memory to the AV for traditional scanning, which would otherwise be missed since its never in a file).

 

So far i've got 3 confirmed systems where this is repeatable on... and 1 that doesn't appear to show the issue (with the same OS build & ENS policies)... Very weird. We have a lot more deployments of ENS, but not enough time to go check each one individually to see if they're behaving the same for now... Nobody else is complaining, but in our case we aren't getting any AV not running popups, because Defender doesn't crash... both 'happily' run together.

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 38 of 164

Re: WINDOWS DEFENDER + ENS 10.6.1 + W10 LTSC 2019 ENT GER 64BIT VL problem AMSI

We have AMSI on (enforced) on over 20 EPO Onpremise customers with all ENS 10.6.1 JULY Repost and Agent 5.6.3.108. Just finished updating all of them. The client base runs from around 900 clients with the same clients to SBS/KMU with different W10 Versions PRO/ENT 1809/17XX and 1903 in place.

All of them we trurned AMSI on as you mentioned.

This is one of the first W10 LTSC 2019 we have in place and on VDI. Maybe the reason why we discovered it because we take an extreme close look to performance with that customer.

 

We several times in Mcafee forums asked on MORE info regarding AMSI and ENS. Esp. we woul dlike to know more info on LOG / DEBUG / Trace if something goes wrong outside the Mcafee components.

 

 

 

 

 

 

 

JayMan
Level 10
Report Inappropriate Content
Message 39 of 164

Re: WINDOWS DEFENDER + ENS 10.6.1 + W10 LTSC 2019 ENT GER 64BIT VL problem AMSI

I've tried with AMSI disabled today & the issue continues... So thats not the cause, at least in my instance.

 

Windows only seems to detect ENS correctly on my laptop after a reboot when debug logging is enabled for threat prevention.

Re: WINDOWS DEFENDER + ENS 10.6.1 + W10 LTSC 2019 ENT GER 64BIT VL problem AMSI

I also tried with:

  • AMSI on with Observe
  • AMSI on without Observe (I guess this means enforce)
  • AMSI off

The issue continued in all three scenarios (with "Check New Policies" and reboots in between).

About to try with TP debug logging on as suggested by @JayMan 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community