cancel
Showing results for 
Search instead for 
Did you mean: 

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

@chealey, I think there's still an issue... based on what @meanoldmanning posted, and my own experience, the "update" seems to add an additional AV provider.  Regardless of productState, ENS shouldn't be registered more than once in WMI.

Then, if you were lucky enough to have your productState set to 397312 in the previous AV provider entry, it seems it would stay that way forever.  In cases like mine and @SWISS , since both entries indicate 397312, it appears to be "working." 

But this presents another problem... if ENS is ever out of date or on-access scanning is OFF, WSC may continue to get bad results from WMI and improperly report that ENS is ON and up to date and therefore leave WDA off, leaving a computer completely unprotected, which IMHO, is worse than both running and double protection.

Please advise development that ENS should not add duplicate providers AND should have logic to remove duplicate providers.

In my specific cases, the ENS "update" to October release appears to "update" (as in crUd) the one existing ENS provider in WMI (since the timestamp is updated).  Then, after a reboot, ENS creates another provider.  On one of my computers, timestamps are ~10 minutes apart... the time between the update completion, me noticing, and me rebooting...

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

To test my theory, I manually turned On-Access scan off (between policy enforcements).  Windows immediately indicated that both AV were off, and WMI indicates:


__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 12:29:36 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 401408
timestamp : Wed, 09 Oct 2019 15:38:06 GMT
PSComputerName : DEL7810-0219


One of the ENS entries has an updated productState, and the timestamp seems to be set to when the productState changed.

When I turn on-access scanning back on, WSC again reports ENS is running properly and productState has switched back to 397312.

This leaves my theory inconclusive... Windows could be sorting WMI results by timestamp desc, OR, may be looking at a specific entry, the entry with instance ID A37DD4B2-BDFF-70DA-DE19-9F9927D6940F in my case.

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

well that was short lived success. On the system where I ran the removal tool and the script and DO NOT have debug logging enabled I rebooted again and now it isn't reporting correctly. So at least in my case debug logging has to be enabled or reporting doesn't work properly. 

Michael

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

I attempted to trace WMI to find out what's going on...

Here's one of my ENS providers in WMI to recap:

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 15:38:58 GMT
PSComputerName : DEL7810-0219

It looks like when I turn On-Access Scan off, WMI is updated for my ENS instance with a specific instance guid:

Performing Update operation on the WMI repository. OperationID = 1194; Operation = AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"; Flags = 0

And when I turn On-Access scan back on, same thing:

Performing Update operation on the WMI repository. OperationID = 1194; Operation = AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"; Flags = 0

 

So it would appear McAfee is updating a specific instance of ENS.  The other part of the equation is, which ENS instance is WSC looking at... WMI trace doesn't seem to show this.

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 135 of 259

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@chealey 

Just deployed the October update on my system and as far as i can tell, the behaviour observed when I open this topic in the community forum remains exactly the same:

Annotation 2019-10-09 101006.png

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@kylekat, curious about your powershell output?  Would you mind running


Get-WmiObject -namespace "root\securitycenter2" -class "antivirusproduct"

?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 137 of 259

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller 

Not sure if I skewed the results of the output by manually turning ON mcafee from the windows security center. Here is the output tho:

Annotation 2019-10-09 111950.png

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@kylekat,the results may be skewed... you may want to try a reboot, wait 3-5 minutes for the PC to settle down, and run the command again, checking for the magic productState 397312.

In your posting, it looks like both of your now duplicate ENS providers (uggh)... show 397312, but that could be because you turned one on via WSC.

Other than that, your screen shot currently looks like how mine currently looks, both ENS with 397312 and WDA with 393472.  Is WSC/WDA currently working as intended?  Except you had to manually turn ENS on in WSC (even though it was likely already on)?

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 139 of 259

Re: Windows Defender problem reported by MICROSOFT

Jump to solution

@billmoller 

Rebooted, and again ENS is detected as OFF even though its enabled in ENS console:

This time, i didnt hit "Turn On"

Annotation 2019-10-09 114904.png

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Jump to solution

It's pretty clear the October Update isn't the fix it is supposed to be. Each scenario I have tried winds up requiring debug logging to be enabled.

For testing purposed, if your system is managed by ePO you'll either need to remove it from such or create a test policy under Endpoint Security Common > Options that enables Debug Logging. Then in ePO for the test machine break inheritance to the current policy (my default maybe) and assign the test policy to it. 

Michael
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community