A bunch of updates just showed up as available in Software Manager on ePO. I'm going to clean install on one laptop and update on another and see how it goes

@chealeycan we confirm if the new releases address the issue discussed on this topic?

Endpoint Security Platform10.6.1.1724.1

Endpoint Security Threat Prevention10.6.1.1777.1

Went through the release notes and I don't think there is a mention on it.

@chealey, please advise... "if the new releases address the issue discussed on this topic?"

I/we can't wait another release cycle during which our users are confusingly notified that anti-virus isn't working or is turned off...

Neither install scenario (clean or update) resolves the issue with the new versions pushed to the software manager. The reporting error remains. I kind of assumed this would be the case since I wasn't advised to run these updates by the fellow assigned to my ticket.

@chealey, @meanoldmanning has indicted the issue still isn't fixed.  I believe you told us it would be fixed in the next release, "This issue will be addressed in the next release of the product which is targeted for October."  Also, my support case indicates,

---

Resolution: The issue is fixed now and will be targeted in the next release of ENS version

---

And that was prior to THIS release............... So................. umm.................... ::biting tongue trying to stay civil::

OK, after sitting for a couple hours now the laptop that had a clean install is still reporting that McAfee is OFF and Windows Defender is ON. However, the laptop that had McAfee 'updated' to the new versions now has switched to McAfee reporting it is ON and Windows Defender is OFF. Weird.

EDIT - and now 40 minutes or so later the laptop on which I did a clean install suddenly is reporting properly. Both the laptops had run an update around the same time so I'm not sure there was a content update that triggered either one to turn on.

EDIT 2 - Rebooting causing the reporting issue to return, at least short term. I'm not sure how quickly is clears up, but maybe 10 minutes after rebooting it still reports McAfee is OFF

@meanoldmanning  Thanks for the investigative work.  Just curious, did you implement the "debug logging" workaround?  I did, and it seems to work most of the time, but when ENS updates (a daily task), I think AMCore, it returns to McAfee is off...

No, not on the test machines, I wanted to see if the updates corrected the issue on their own. However, I did implement it on the computer I use daily. It was weird in that after implementing it WSC would report correctly until I restarted windows, which I think you experienced too? But if I waited for several minutes (hour?) it would switch back to reporting correctly. 

By the way, after sitting for more than an hour now after being rebooted the two test machines have NOT switched back to reporting correctly

@meanoldmanning, what does the output of

---

get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

---

show?  I guess, more specifically, the "productState"

On mine, it's currently:

---

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 393232
timestamp : Tue, 08 Oct 2019 12:33:32 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219

And I think we determined previously that the issue was related to how WSC is interpreting the productState.  If yours is still showing 393232 (and one assumes Microsoft didn't change how Windows interprets productState [...more...] for this McAfee issue) then it would appear, in addition to everything you mentioned, that the new ENS build does not correct the issue...

When the "debug logging" workaround was working, the productState on my machine was (now seemingly randomly) set to 397312, which caused WSC and WDA to behave properly...

@chealeyanything?  Hello?