cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Windows Defender problem reported by MICROSOFT

Here's my clean install system. It was rebooted after using the removal tool, rebooted after clean installing the October update and rebooted a couple times since. Like I reported yesterday, for a brief period a couple hours after installing the October update package it suddenly showed ENS was running but then changed its state again to WD running after a reboot and hasn't reported properly since. 

cleaninstall1.jpgcleaninstall2.jpg

Michael

Re: Windows Defender problem reported by MICROSOFT

As others have stated, disabling Windows Defender isn't an option. WD is supposed to recognize ENS is installed and enabled and allow it to be the primary and only running antimalware system

Michael

Re: Windows Defender problem reported by MICROSOFT

@meanoldmanning, would you mind posting your

get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

?

Re: Windows Defender problem reported by MICROSOFT

also, @meanoldmanning , a screenshot of your "about" for ENS? (showing version #'s)?

Re: Windows Defender problem reported by MICROSOFT

About

About.jpg

Michael

Re: Windows Defender problem reported by MICROSOFT

This is the clean install machine. All 3 of the test laptop turn out the same result. Note the timestamp on the first ENS instance listed. 

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 :  PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB
                           48962E3}"
displayName              : McAfee Endpoint Security
instanceGuid             : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Mon, 30 Sep 2019 18:05:26 GMT
PSComputerName           : PC----P
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 :  PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132
                           C1ACF46}"
displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 397568
timestamp                : Wed, 09 Oct 2019 13:43:08 GMT
PSComputerName           : PC----P
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 :  PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F992
                           7D6940F}"
displayName              : McAfee Endpoint Security
instanceGuid             : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 393232
timestamp                : Wed, 09 Oct 2019 13:43:06 GMT
PSComputerName           :  PC----P
 
Michael
Highlighted

Re: Windows Defender problem reported by MICROSOFT

@meanoldmanning, your About looks almost identical to mine (versions of platform, TP, amcore, dats, etc) (I'm not running firewall or web control)

From your WMI powershell output, it looks like you also have duplicate ENS providers now... Good times...  However, on yours, the "newer" ENS provider registration (10/9) has the "older" productState (393232).  If WSC/WDA does any kind of querying of WMI, by date descending (to get the latest), this could be your issue (again, many assumptions on my part).

On mine, both duplicate entries have productState 397312.

If you're feeling brave, I'd run the VB script located here, Delete AntiVirusProduct WMI - Clear the anti-virus WMI class from an elevated command prompt (which I have personally run before), then reboot, then... wait (maybe 3 minutes?)... while Microsoft and McAfee re-register themselves (WSC seems to take a bit to get AV status), then re-run the get-wmiobject powershell command again.

 

 

Re: Windows Defender problem reported by MICROSOFT

So, here's something fun and should not have to be the acceptable 'solution'. I had NOT enabled debug logging on the test laptops because, you know, that shouldn't be how this gets fixes. I decided to assign a policy to the clean install computer that enabled logging and after a reboot it reports correctly - for now. We'll see how long that last because the laptop I use daily also has debug logging enabled and does NOT report correctly (update install)

Michael

Re: Windows Defender problem reported by MICROSOFT

@meanoldmanning, agreed.

When I had debugging on before the October update release, it changed the productState to 397312, so appeared to work (see my posts re: workaround), however, after a random daily update (perhaps AMCore) the productState returned to 343232 which reintroduced the issue.

I also noticed, during "clean install" testing, the Endpoint Product Removal Tool does not delete errant/old McAfee AV providers, which is when I ran that VBScript.

@chealey, is there a chart or link you could post that indicates how to decode productState?  i.e. what's 397312 vs. 343232?

Re: Windows Defender problem reported by MICROSOFT

Did you remove the agent as well when you ran the removal tool? 

Michael
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community