cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

@billmollerOn one laptop I ran the removal tool and the script which cleared the providers, then rebooted and clean installed and everything is hunky dory; ENS shows as the running provider and up to date. Debug logging is NOT enabled

On another test laptop I simply ran the removal tool and did a clean install, then enabled debug logging and ENS is reporting it is the running provider. 

On two other laptops I simply did an update install over what was already installed, one has debugging enabled and the other does not and while the one that does NOT have debugging enabled still does NOT report properly the one that does, now after about 10 minutes has started reporting ENS is running and up to date. I am not sure how stable that result is, and still it seems pretty erratic. Debug enabled shouldn't have to be the weird fix for this issue, but if it works it works and keeps from having to run the removal tool and script.

Michael
Highlighted

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

@chealey, I think there's still an issue... based on what @meanoldmanning posted, and my own experience, the "update" seems to add an additional AV provider.  Regardless of productState, ENS shouldn't be registered more than once in WMI.

Then, if you were lucky enough to have your productState set to 397312 in the previous AV provider entry, it seems it would stay that way forever.  In cases like mine and @SWISS , since both entries indicate 397312, it appears to be "working." 

But this presents another problem... if ENS is ever out of date or on-access scanning is OFF, WSC may continue to get bad results from WMI and improperly report that ENS is ON and up to date and therefore leave WDA off, leaving a computer completely unprotected, which IMHO, is worse than both running and double protection.

Please advise development that ENS should not add duplicate providers AND should have logic to remove duplicate providers.

In my specific cases, the ENS "update" to October release appears to "update" (as in crUd) the one existing ENS provider in WMI (since the timestamp is updated).  Then, after a reboot, ENS creates another provider.  On one of my computers, timestamps are ~10 minutes apart... the time between the update completion, me noticing, and me rebooting...

Highlighted

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

To test my theory, I manually turned On-Access scan off (between policy enforcements).  Windows immediately indicated that both AV were off, and WMI indicates:


__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 12:29:36 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 401408
timestamp : Wed, 09 Oct 2019 15:38:06 GMT
PSComputerName : DEL7810-0219


One of the ENS entries has an updated productState, and the timestamp seems to be set to when the productState changed.

When I turn on-access scanning back on, WSC again reports ENS is running properly and productState has switched back to 397312.

This leaves my theory inconclusive... Windows could be sorting WMI results by timestamp desc, OR, may be looking at a specific entry, the entry with instance ID A37DD4B2-BDFF-70DA-DE19-9F9927D6940F in my case.

Highlighted

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

well that was short lived success. On the system where I ran the removal tool and the script and DO NOT have debug logging enabled I rebooted again and now it isn't reporting correctly. So at least in my case debug logging has to be enabled or reporting doesn't work properly. 

Michael
Highlighted

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

I attempted to trace WMI to find out what's going on...

Here's one of my ENS providers in WMI to recap:

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 15:38:58 GMT
PSComputerName : DEL7810-0219

It looks like when I turn On-Access Scan off, WMI is updated for my ENS instance with a specific instance guid:

Performing Update operation on the WMI repository. OperationID = 1194; Operation = AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"; Flags = 0

And when I turn On-Access scan back on, same thing:

Performing Update operation on the WMI repository. OperationID = 1194; Operation = AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"; Flags = 0

 

So it would appear McAfee is updating a specific instance of ENS.  The other part of the equation is, which ENS instance is WSC looking at... WMI trace doesn't seem to show this.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 136 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@chealey 

Just deployed the October update on my system and as far as i can tell, the behaviour observed when I open this topic in the community forum remains exactly the same:

Annotation 2019-10-09 101006.png

Highlighted

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@kylekat, curious about your powershell output?  Would you mind running


Get-WmiObject -namespace "root\securitycenter2" -class "antivirusproduct"

?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 138 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller 

Not sure if I skewed the results of the output by manually turning ON mcafee from the windows security center. Here is the output tho:

Annotation 2019-10-09 111950.png

Highlighted

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@kylekat,the results may be skewed... you may want to try a reboot, wait 3-5 minutes for the PC to settle down, and run the command again, checking for the magic productState 397312.

In your posting, it looks like both of your now duplicate ENS providers (uggh)... show 397312, but that could be because you turned one on via WSC.

Other than that, your screen shot currently looks like how mine currently looks, both ENS with 397312 and WDA with 393472.  Is WSC/WDA currently working as intended?  Except you had to manually turn ENS on in WSC (even though it was likely already on)?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 140 of 332

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller 

Rebooted, and again ENS is detected as OFF even though its enabled in ENS console:

This time, i didnt hit "Turn On"

Annotation 2019-10-09 114904.png

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community