cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Windows Defender problem reported by MICROSOFT

Neither install scenario (clean or update) resolves the issue with the new versions pushed to the software manager. The reporting error remains. I kind of assumed this would be the case since I wasn't advised to run these updates by the fellow assigned to my ticket.

Michael
Highlighted

Re: Windows Defender problem reported by MICROSOFT

@chealey, @meanoldmanning has indicted the issue still isn't fixed.  I believe you told us it would be fixed in the next release, "This issue will be addressed in the next release of the product which is targeted for October."  Also, my support case indicates,


Resolution: The issue is fixed now and will be targeted in the next release of ENS version


And that was prior to THIS release............... So................. umm.................... ::biting tongue trying to stay civil::

Re: Windows Defender problem reported by MICROSOFT

OK, after sitting for a couple hours now the laptop that had a clean install is still reporting that McAfee is OFF and Windows Defender is ON. However, the laptop that had McAfee 'updated' to the new versions now has switched to McAfee reporting it is ON and Windows Defender is OFF. Weird.

EDIT - and now 40 minutes or so later the laptop on which I did a clean install suddenly is reporting properly. Both the laptops had run an update around the same time so I'm not sure there was a content update that triggered either one to turn on.

EDIT 2 - Rebooting causing the reporting issue to return, at least short term. I'm not sure how quickly is clears up, but maybe 10 minutes after rebooting it still reports McAfee is OFF

Michael

Re: Windows Defender problem reported by MICROSOFT

@meanoldmanning  Thanks for the investigative work.  Just curious, did you implement the "debug logging" workaround?  I did, and it seems to work most of the time, but when ENS updates (a daily task), I think AMCore, it returns to McAfee is off...

Re: Windows Defender problem reported by MICROSOFT

No, not on the test machines, I wanted to see if the updates corrected the issue on their own. However, I did implement it on the computer I use daily. It was weird in that after implementing it WSC would report correctly until I restarted windows, which I think you experienced too? But if I waited for several minutes (hour?) it would switch back to reporting correctly. 

By the way, after sitting for more than an hour now after being rebooted the two test machines have NOT switched back to reporting correctly

Michael

Re: Windows Defender problem reported by MICROSOFT

@meanoldmanning, what does the output of


get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

show?  I guess, more specifically, the "productState"

On mine, it's currently:


__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 393232
timestamp : Tue, 08 Oct 2019 12:33:32 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219

And I think we determined previously that the issue was related to how WSC is interpreting the productState.  If yours is still showing 393232 (and one assumes Microsoft didn't change how Windows interprets productState [...more...] for this McAfee issue) then it would appear, in addition to everything you mentioned, that the new ENS build does not correct the issue...

When the "debug logging" workaround was working, the productState on my machine was (now seemingly randomly) set to 397312, which caused WSC and WDA to behave properly...

@chealeyanything?  Hello?

Re: Windows Defender problem reported by MICROSOFT

So, curiously I have two instances of McAfee Endpoint Security listed when I run that script. In order, I see ENS, Defender and then ENS again. The first ENS instance reports Product State 397312, then Windows Defender reports 397568 and then the second instance of ENS shows 393232. This is on both machines, either updated or clean installed. In talking to the fellow assigned to my ticket the first ENS reference is an artifact left behind in the registry. I'll copy the results in later if you like, I was trying to save space.

Michael

Re: Windows Defender problem reported by MICROSOFT

I also had multiple ENS providers listed in WMI.  At first, I thought that was the issue, or that WSC was reading the productState of the wrong ENS instance.

Completely at a loss, I used the Endpoint Product Removal tool to uninstall everything McAfee, then happened upon Delete AntiVirusProduct WMI - Clear the anti-virus WMI class from 2014 which has a VB script to clean up the errant entries in WMI.

It mentions, "After a reboot of the client machine, WMI will rebuild this class." which it indeed did on my system.  Like I mentioned, ENS was not installed at the time, but WSC/WDA DID re-register itself as an AV provider in WMI (one hopes ENS would do the same).

YMMV, and disclaimer disclaimer disclaimer, this has the potential to completely hose your system, don't use in a production environment, yadda yadda yadda.

At that point for me however, I was ready to format...

I then reinstalled ENS.  The WSC/WDA conflicts are still occurring, but I have no more errant WMI AV provider entries.

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 99 of 166

Re: Windows Defender problem reported by MICROSOFT

Good morning all.

We tested an Early Access version of 10.6.1 October Update with customers who had their cases escalated to engineering and we received positive feedback from all of those customers. If the issue persists then this is unexpected and we would need to re-visit the issue along with fresh data from the systems. 

I would advise to ensure that once installing the October Update a reboot is performed and to ensure that Windows Defender is disabled via GPO to avoid any conflict. Further please do ensure that the AMCORE is also up to date.

Please follow up in your respective SRs if the issue is not fixed.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
JayMan
Level 10
Report Inappropriate Content
Message 100 of 166

Re: Windows Defender problem reported by MICROSOFT

We purposely don't disable Defender via GPO, so if Mcafee was ever missing from the devices for any reason or genuinely broken we still have defender as a fallback.

I'll test out the new update and see how it goes for my systems.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community