The fix will not require a clean install 🙂 A POC (Proof of concept) build on the other hand needs to be installed in a specific way hence the instructions provided by support when you are given the POC.
A bunch of updates just showed up as available in Software Manager on ePO. I'm going to clean install on one laptop and update on another and see how it goes
@chealeycan we confirm if the new releases address the issue discussed on this topic?
Endpoint Security Platform10.6.1.1724.1
Endpoint Security Threat Prevention10.6.1.1777.1
Went through the release notes and I don't think there is a mention on it.
@chealey, please advise... "if the new releases address the issue discussed on this topic?"
I/we can't wait another release cycle during which our users are confusingly notified that anti-virus isn't working or is turned off...
Neither install scenario (clean or update) resolves the issue with the new versions pushed to the software manager. The reporting error remains. I kind of assumed this would be the case since I wasn't advised to run these updates by the fellow assigned to my ticket.
@chealey, @meanoldmanning has indicted the issue still isn't fixed. I believe you told us it would be fixed in the next release, "This issue will be addressed in the next release of the product which is targeted for October." Also, my support case indicates,
Resolution: The issue is fixed now and will be targeted in the next release of ENS version
And that was prior to THIS release............... So................. umm.................... ::biting tongue trying to stay civil::
OK, after sitting for a couple hours now the laptop that had a clean install is still reporting that McAfee is OFF and Windows Defender is ON. However, the laptop that had McAfee 'updated' to the new versions now has switched to McAfee reporting it is ON and Windows Defender is OFF. Weird.
EDIT - and now 40 minutes or so later the laptop on which I did a clean install suddenly is reporting properly. Both the laptops had run an update around the same time so I'm not sure there was a content update that triggered either one to turn on.
EDIT 2 - Rebooting causing the reporting issue to return, at least short term. I'm not sure how quickly is clears up, but maybe 10 minutes after rebooting it still reports McAfee is OFF
@meanoldmanning Thanks for the investigative work. Just curious, did you implement the "debug logging" workaround? I did, and it seems to work most of the time, but when ENS updates (a daily task), I think AMCore, it returns to McAfee is off...
No, not on the test machines, I wanted to see if the updates corrected the issue on their own. However, I did implement it on the computer I use daily. It was weird in that after implementing it WSC would report correctly until I restarted windows, which I think you experienced too? But if I waited for several minutes (hour?) it would switch back to reporting correctly.
By the way, after sitting for more than an hour now after being rebooted the two test machines have NOT switched back to reporting correctly
@meanoldmanning, what does the output of
get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"
show? I guess, more specifically, the "productState"
On mine, it's currently:
__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 393232
timestamp : Tue, 08 Oct 2019 12:33:32 GMT
PSComputerName : DEL7810-0219__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219
And I think we determined previously that the issue was related to how WSC is interpreting the productState. If yours is still showing 393232 (and one assumes Microsoft didn't change how Windows interprets productState [...more...] for this McAfee issue) then it would appear, in addition to everything you mentioned, that the new ENS build does not correct the issue...
When the "debug logging" workaround was working, the productState on my machine was (now seemingly randomly) set to 397312, which caused WSC and WDA to behave properly...
@chealeyanything? Hello?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA