cancel
Showing results for 
Search instead for 
Did you mean: 

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

I attempted to trace WMI to find out what's going on...

Here's one of my ENS providers in WMI to recap:

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 15:38:58 GMT
PSComputerName : DEL7810-0219

It looks like when I turn On-Access Scan off, WMI is updated for my ENS instance with a specific instance guid:

Performing Update operation on the WMI repository. OperationID = 1194; Operation = AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"; Flags = 0

And when I turn On-Access scan back on, same thing:

Performing Update operation on the WMI repository. OperationID = 1194; Operation = AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"; Flags = 0

 

So it would appear McAfee is updating a specific instance of ENS.  The other part of the equation is, which ENS instance is WSC looking at... WMI trace doesn't seem to show this.

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 132 of 167

Re: Windows Defender problem reported by MICROSOFT

@chealey 

Just deployed the October update on my system and as far as i can tell, the behaviour observed when I open this topic in the community forum remains exactly the same:

Annotation 2019-10-09 101006.png

Re: Windows Defender problem reported by MICROSOFT

@kylekat, curious about your powershell output?  Would you mind running


Get-WmiObject -namespace "root\securitycenter2" -class "antivirusproduct"

?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 134 of 167

Re: Windows Defender problem reported by MICROSOFT

@billmoller 

Not sure if I skewed the results of the output by manually turning ON mcafee from the windows security center. Here is the output tho:

Annotation 2019-10-09 111950.png

Re: Windows Defender problem reported by MICROSOFT

@kylekat,the results may be skewed... you may want to try a reboot, wait 3-5 minutes for the PC to settle down, and run the command again, checking for the magic productState 397312.

In your posting, it looks like both of your now duplicate ENS providers (uggh)... show 397312, but that could be because you turned one on via WSC.

Other than that, your screen shot currently looks like how mine currently looks, both ENS with 397312 and WDA with 393472.  Is WSC/WDA currently working as intended?  Except you had to manually turn ENS on in WSC (even though it was likely already on)?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 136 of 167

Re: Windows Defender problem reported by MICROSOFT

@billmoller 

Rebooted, and again ENS is detected as OFF even though its enabled in ENS console:

This time, i didnt hit "Turn On"

Annotation 2019-10-09 114904.png

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

It's pretty clear the October Update isn't the fix it is supposed to be. Each scenario I have tried winds up requiring debug logging to be enabled.

For testing purposed, if your system is managed by ePO you'll either need to remove it from such or create a test policy under Endpoint Security Common > Options that enables Debug Logging. Then in ePO for the test machine break inheritance to the current policy (my default maybe) and assign the test policy to it. 

Michael

Re: Windows Defender problem reported by MICROSOFT

@kylekatso yeah, it looks like your "newer" ENS entry is 393232, in other words, "off and out of date..."

So it's like you're right back to where you started... as the OP, no progress for you...

If you're brave enough, I'd clear the AV classes from WMI using the VB script I mentioned previously, let WDA and ENS re-register, and see if your issue is resolved.

@chealey, this issue is definitely not resolved.  Even if my suggestion above works, enterprise IT managers can't be expected to go to every client endpoint and run random VB scripts to clean up McAfee's mess...

anti8.PNG

Re: Windows Defender problem reported by MICROSOFT

Shot myself in the food trying to clean my AV providers in WMI to get rid of the duplicate...

ENS and WDA both re-registered upon reboot (and no duplicates), but ENS is now 393232 even though it's on and up to date...

Entire issue has returned... wiping all McAfee out of this computer and starting over...

Highlighted

Re: Windows Defender problem reported by MICROSOFT

Definitely still broken...

  • Wiped McAfee (all ENS and Agent) from my computer with Endpoint Removal Tool
  • cleared AV providers in WMI
  • Rebooted, WSC/WDA start like normal, everything is fine without McAfee
  • Reinstalled McAfee Agent
  • Reinstalled ENS
  • 2 AV providers registered
  • ENS productState = 397328 (On-Access scanning ON, but NOT up to date)
  • Forced an update
  • ENS productState = 397312 (On-Access scanning ON, up to date)
  • All was working peacefully and coexisting
  • ...Rebooted...
  • ~3 minutes after computer boots, ENS AV object is updated to productState = 393232 (On-Access Scan OFF, NOT UP TO DATE)
  • Still just the 2 AV providers
  • Forced another ENS update, no change

WSC/WDA & ENS coexistence completely broken again.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community