@meanoldmanning, your About looks almost identical to mine (versions of platform, TP, amcore, dats, etc) (I'm not running firewall or web control)
From your WMI powershell output, it looks like you also have duplicate ENS providers now... Good times... However, on yours, the "newer" ENS provider registration (10/9) has the "older" productState (393232). If WSC/WDA does any kind of querying of WMI, by date descending (to get the latest), this could be your issue (again, many assumptions on my part).
On mine, both duplicate entries have productState 397312.
If you're feeling brave, I'd run the VB script located here, Delete AntiVirusProduct WMI - Clear the anti-virus WMI class from an elevated command prompt (which I have personally run before), then reboot, then... wait (maybe 3 minutes?)... while Microsoft and McAfee re-register themselves (WSC seems to take a bit to get AV status), then re-run the get-wmiobject powershell command again.
So, here's something fun and should not have to be the acceptable 'solution'. I had NOT enabled debug logging on the test laptops because, you know, that shouldn't be how this gets fixes. I decided to assign a policy to the clean install computer that enabled logging and after a reboot it reports correctly - for now. We'll see how long that last because the laptop I use daily also has debug logging enabled and does NOT report correctly (update install)
@meanoldmanning, agreed.
When I had debugging on before the October update release, it changed the productState to 397312, so appeared to work (see my posts re: workaround), however, after a random daily update (perhaps AMCore) the productState returned to 343232 which reintroduced the issue.
I also noticed, during "clean install" testing, the Endpoint Product Removal Tool does not delete errant/old McAfee AV providers, which is when I ran that VBScript.
@Former Member, is there a chart or link you could post that indicates how to decode productState? i.e. what's 397312 vs. 343232?
Did you remove the agent as well when you ran the removal tool?
I don't have a chart as such, but here are the states I know about:
ProductState=262144 = Up to Date Defs, On Access Scanning OFF
ProductState=266240 = Up to Date Defs, ON Access Scanning ON
ProductState=397328 = not Up to Date Defs, ON Access Scanning
ProductState=393216 = Up to Date Defs, On Access Scanning OFF
ProductState=397312 = Up to Date Defs, ON Access Scanning ON
Found this in another thread @Nielsb :
Thank you for the idea! I really need this.
Some extra productstate numbers
401408 = onaccess scan disabled
262144 | Antivirus Current - (On-Access Scanner OFF) |
262160 | Antivirus Outdated - (On Access Scanner OFF) |
266240 | Antivirus Current - (On Access Scanner ON) |
266256 | Antivirus Outdated - (On Access Scanner ON) |
393216 | Antivirus Current - (On-Access Scanner OFF) |
393232 | Antivirus Outdated - (On Access Scanner OFF) |
393488 | Antivirus Outdated - (On Access Scanner OFF) |
397312 | Antivirus Current - (On Access Scanner ON) |
397328 | Antivirus Outdated - (On Access Scanner ON) |
397584 | Antivirus Outdated - (On Access Scanner ON) |
@meanoldmanning, yes, removed ALL McAfee products with the tool...
So three things I've noticed now:
Clean install and debug logging enabled - success
Running that script and then doing a clean install (though not enabling debugging) - success
Update install, debug logging enabled or not - no success
@SWISS, is yours working now? Your output looks like mine with duplicate ENS entries, but both have productState 397312 (like mine).
Also, I noticed that after the initial reboot, ENS creates the duplicate WMI entry (checked on another machine after installing the October update, but before reboot and I had only two providers, WDA and ENS. After reboot, a new ENS provider is added.)
First, I've updated my previous posts re: 343232... it was 393232... (disregard 343232).
Based on the list of productStates, 393232 indicates AV out of date, and on-access scan off.
I keep having a sneaking suspicion that this is still related to the ENS providers listed in WMI, and WSC potentially receiving a duplicate/errant ENS result (with incorrect productState) from WMI, and basing its decision (to keep WDA on and indicate ENS is OFF) on that...
I really think you should try to clear your providers, but then again, I'm hoping that doesn't fix the issue because there's no way I'm going to run around to all my client computers and manually clear providers...
Back to what I said almost forever ago, ENS really shouldn't be making any duplicate entries in the AV providers DB...
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA