cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 121 of 167

Re: Windows Defender problem reported by MICROSOFT

I don't have a chart as such, but here are the states I know about:

ProductState=262144 = Up to Date Defs, On Access Scanning OFF

ProductState=266240 = Up to Date Defs, ON Access Scanning ON

ProductState=397328 = not Up to Date Defs, ON Access Scanning

ProductState=393216 = Up to Date Defs, On Access Scanning OFF

ProductState=397312 = Up to Date Defs, ON Access Scanning ON

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: Windows Defender problem reported by MICROSOFT

Found this in another thread @Nielsb :

Thank you for the idea! I really need this.

Some extra productstate numbers

401408 = onaccess scan disabled

262144

Antivirus Current -  (On-Access Scanner OFF)

262160

Antivirus Outdated -  (On Access Scanner OFF)

266240

Antivirus Current -  (On Access Scanner ON)

266256

Antivirus Outdated -  (On Access Scanner ON)

393216

Antivirus Current -   (On-Access Scanner OFF)

393232

Antivirus Outdated - (On Access Scanner OFF)

393488

Antivirus Outdated - (On Access Scanner OFF)

397312

Antivirus Current -  (On Access Scanner ON)

397328

Antivirus Outdated - (On Access Scanner ON)

397584

Antivirus Outdated - (On Access Scanner ON)

Re: Windows Defender problem reported by MICROSOFT

@meanoldmanning, yes, removed ALL McAfee products with the tool...

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 124 of 167

W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

W10, 1903 PRO VL, German, All Updates until (except) 10/2019 from WSUS
get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2F
                           AB48962E3}"
displayName              : McAfee Endpoint Security
instanceGuid             : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Wed, 09 Oct 2019 08:06:05 GMT
PSComputerName           : W10INDIA1201
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA1
                           32C1ACF46}"
displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 393472
timestamp                : Thu, 19 Sep 2019 16:17:47 GMT
PSComputerName           : W10INDIA1201
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89AF6F535B2C}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89A
                           F6F535B2C}"
displayName              : McAfee Endpoint Security
instanceGuid             : {9D4501E6-72F6-2877-C789-89AF6F535B2C}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Wed, 14 Aug 2019 09:12:05 GMT

Re: Windows Defender problem reported by MICROSOFT

So three things I've noticed now:

Clean install and debug logging enabled - success

Running that script and then doing a clean install (though not enabling debugging) - success

Update install, debug logging enabled or not - no success

Michael

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

@SWISS, is yours working now?  Your output looks like mine with duplicate ENS entries, but both have productState 397312 (like mine).

Also, I noticed that after the initial reboot, ENS creates the duplicate WMI entry (checked on another machine after installing the October update, but before reboot and I had only two providers, WDA and ENS.  After reboot, a new ENS provider is added.)

@meanoldmanning:

First, I've updated my previous posts re: 343232... it was 393232... (disregard 343232).

Based on the list of productStates, 393232 indicates AV out of date, and on-access scan off.

I keep having a sneaking suspicion that this is still related to the ENS providers listed in WMI, and WSC potentially receiving a duplicate/errant ENS result (with incorrect productState) from WMI, and basing its decision (to keep WDA on and indicate ENS is OFF) on that...

I really think you should try to clear your providers, but then again, I'm hoping that doesn't fix the issue because there's no way I'm going to run around to all my client computers and manually clear providers...

Back to what I said almost forever ago, ENS really shouldn't be making any duplicate entries in the AV providers DB...

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

@billmollerOn one laptop I ran the removal tool and the script which cleared the providers, then rebooted and clean installed and everything is hunky dory; ENS shows as the running provider and up to date. Debug logging is NOT enabled

On another test laptop I simply ran the removal tool and did a clean install, then enabled debug logging and ENS is reporting it is the running provider. 

On two other laptops I simply did an update install over what was already installed, one has debugging enabled and the other does not and while the one that does NOT have debugging enabled still does NOT report properly the one that does, now after about 10 minutes has started reporting ENS is running and up to date. I am not sure how stable that result is, and still it seems pretty erratic. Debug enabled shouldn't have to be the weird fix for this issue, but if it works it works and keeps from having to run the removal tool and script.

Michael

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

@chealey, I think there's still an issue... based on what @meanoldmanning posted, and my own experience, the "update" seems to add an additional AV provider.  Regardless of productState, ENS shouldn't be registered more than once in WMI.

Then, if you were lucky enough to have your productState set to 397312 in the previous AV provider entry, it seems it would stay that way forever.  In cases like mine and @SWISS , since both entries indicate 397312, it appears to be "working." 

But this presents another problem... if ENS is ever out of date or on-access scanning is OFF, WSC may continue to get bad results from WMI and improperly report that ENS is ON and up to date and therefore leave WDA off, leaving a computer completely unprotected, which IMHO, is worse than both running and double protection.

Please advise development that ENS should not add duplicate providers AND should have logic to remove duplicate providers.

In my specific cases, the ENS "update" to October release appears to "update" (as in crUd) the one existing ENS provider in WMI (since the timestamp is updated).  Then, after a reboot, ENS creates another provider.  On one of my computers, timestamps are ~10 minutes apart... the time between the update completion, me noticing, and me rebooting...

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

To test my theory, I manually turned On-Access scan off (between policy enforcements).  Windows immediately indicated that both AV were off, and WMI indicates:


__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 12:29:36 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 401408
timestamp : Wed, 09 Oct 2019 15:38:06 GMT
PSComputerName : DEL7810-0219


One of the ENS entries has an updated productState, and the timestamp seems to be set to when the productState changed.

When I turn on-access scanning back on, WSC again reports ENS is running properly and productState has switched back to 397312.

This leaves my theory inconclusive... Windows could be sorting WMI results by timestamp desc, OR, may be looking at a specific entry, the entry with instance ID A37DD4B2-BDFF-70DA-DE19-9F9927D6940F in my case.

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

well that was short lived success. On the system where I ran the removal tool and the script and DO NOT have debug logging enabled I rebooted again and now it isn't reporting correctly. So at least in my case debug logging has to be enabled or reporting doesn't work properly. 

Michael
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community