cancel
Showing results for 
Search instead for 
Did you mean: 
JayMan
Level 10
Report Inappropriate Content
Message 151 of 316

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

Perhaps the POC fix was only tested on 1903 users & not those on 1809 reporting the issue? (Since we were told earlier in the thread it was only an issue with 1903)

Had a remote support session today under my new case number (4-20380411771) and repeated all the same checks. Support rep said it's only a cosmetic issue, which I pointed out it's really not since Defender is actually running & scanning along with ENS.

 

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@chealey, I tried to re-open my support case on the McAfee website, but it indicates:


This Service Request is closed.

To reopen this Service Request, please contact your McAfee support technician.


So, following the instructions, I reply to any email sent to me by my support technician, and immediately receive an auto-response email indicating:


This is a system-generated message in response to your email about SR # <4-20058973171>. This service request is currently closed and this e-mail is not being monitored.
Please do not reply to this email.

So... I had to create a new SR 4-20381580551 which exists only to tell McAfee to re-open SR 4-20058973171.

Perhaps the re-opening SR process could be reviewed as well...

JayMan
Level 10
Report Inappropriate Content
Message 153 of 316

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

I had the same 'unmonitored' reply... So create a new case... Then later got an email saying 'we've received your request to open the case, so we have now loaded a new case for you...

 

So although it says it's unmonitored, clearly it's not completely true hah

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 154 of 316

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller I've reopened your old case. Please upload the originally requested data to your old SR so we can re-engage engineering. 

Upon closure of a case, the emails are no longer monitored however some do get through and are picked up. As a general policy we advise that customers should call to reopen a case or as you've done, you can raise a new SR, asking for the old one to be reopened.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller  Just out of curiosity if your systems are managed by ePO change the policy under Endpoint Security Common > Options  that applies to your test computers so that debug logging is enabled. If you change the setting locally and not in that ePO policy then a policy refresh will set it back to whatever is defined in the ePO policy. 

Now, all that said, debug logging still should not be the fix. 

Michael
Highlighted

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@meanoldmanning, I've been able to force productState to 397312 in the past by turning debug logging on, but even then, after an update, it would eventually go back to 393232...

Just after reading your post, and before I was about to enable debug logging again, I checked the productState.

After doing literally nothing this morning (except letting an ASCI interval naturally pass/process by checking agent log), the productState changed from 393232 (BAD) to 397312 (GOOD), and it's "working" now...

I'm in the middle of a long operation, and will attempt a reboot soon.

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

Pretty frustrating, huh? I'm waiting for the fellow assigned to my case to reply to my updates on my ticket about what I have found so far. As I have stated above, I have tried a few different scenarios so far on 4 different laptops and all have wound up needing to have debug logging enabled eventually to appear to function correctly.

Michael

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

Oh boy! 4 AV products listed! Now ENS is listed 3 times!

This is on a test computer that had the PoC installed then had the October Update installed over the top of it, so no telling what kind of a mess this system is

PS K:\> get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB
                           48962E3}"
displayName              : McAfee Endpoint Security
instanceGuid             : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Tue, 08 Oct 2019 18:10:27 GMT
PSComputerName           : PC----P
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132
                           C1ACF46}"
displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 393472
timestamp                : Wed, 09 Oct 2019 15:22:44 GMT
PSComputerName           : PC----P
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89AF6F535B2C}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89AF6
                           F535B2C}"
displayName              : McAfee Endpoint Security
instanceGuid             : {9D4501E6-72F6-2877-C789-89AF6F535B2C}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Tue, 03 Sep 2019 16:53:33 GMT
PSComputerName           : PC----P
__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : PC----P
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\PC----P\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F992
                           7D6940F}"
displayName              : McAfee Endpoint Security
instanceGuid             : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Thu, 10 Oct 2019 14:09:57 GMT
PSComputerName           : PC----P
Michael

Re: Windows Defender problem reported by MICROSOFT

Jump to solution
  • productState was 397312 (GOOD)
  • I rebooted
  • productState still 397312 (GOOD)
  • within 3 minutes, productState is changed to 393232 (BAD)
  • Issue returns...

I'm fairly certain that ENS is setting the productState (and WSC is getting the productState), therefore... ENS is improperly reporting that it is off and out of date and WSC is properly starting WDA in its place...

What a cluster...

 

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller 

When it switches back to 393232 if you look at the Settings > Common > Advanced is Debug Logging still enabled or has it toggled back off? Or had you not enabled it to begin with?

Michael
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community