Community Help Hub

billmoller · ‎10-09-2019

@meanoldmanning, your About looks almost identical to mine (versions of platform, TP, amcore, dats, etc) (I'm not running firewall or web control)

From your WMI powershell output, it looks like you also have duplicate ENS providers now... Good times... However, on yours, the "newer" ENS provider registration (10/9) has the "older" productState (393232). If WSC/WDA does any kind of querying of WMI, by date descending (to get the latest), this could be your issue (again, many assumptions on my part).

On mine, both duplicate entries have productState 397312.

If you're feeling brave, I'd run the VB script located here, Delete AntiVirusProduct WMI - Clear the anti-virus WMI class from an elevated command prompt (which I have personally run before), then reboot, then... wait (maybe 3 minutes?)... while Microsoft and McAfee re-register themselves (WSC seems to take a bit to get AV status), then re-run the get-wmiobject powershell command again.

meanoldmanning · ‎10-09-2019

So, here's something fun and should not have to be the acceptable 'solution'. I had NOT enabled debug logging on the test laptops because, you know, that shouldn't be how this gets fixes. I decided to assign a policy to the clean install computer that enabled logging and after a reboot it reports correctly - for now. We'll see how long that last because the laptop I use daily also has debug logging enabled and does NOT report correctly (update install)

Michael

billmoller · ‎10-09-2019

@meanoldmanning, agreed.

When I had debugging on before the October update release, it changed the productState to 397312, so appeared to work (see my posts re: workaround), however, after a random daily update (perhaps AMCore) the productState returned to 343232 which reintroduced the issue.

I also noticed, during "clean install" testing, the Endpoint Product Removal Tool does not delete errant/old McAfee AV providers, which is when I ran that VBScript.

@Former Member, is there a chart or link you could post that indicates how to decode productState? i.e. what's 397312 vs. 343232?

meanoldmanning · ‎10-09-2019

Did you remove the agent as well when you ran the removal tool?

Michael

Former Member · ‎10-09-2019

I don't have a chart as such, but here are the states I know about:

ProductState=262144 = Up to Date Defs, On Access Scanning OFF

ProductState=266240 = Up to Date Defs, ON Access Scanning ON

ProductState=397328 = not Up to Date Defs, ON Access Scanning

ProductState=393216 = Up to Date Defs, On Access Scanning OFF

ProductState=397312 = Up to Date Defs, ON Access Scanning ON

billmoller · ‎10-09-2019

Found this in another thread @Nielsb :

Thank you for the idea! I really need this.

Some extra productstate numbers

401408 = onaccess scan disabled

262144	Antivirus Current - (On-Access Scanner OFF)
262160	Antivirus Outdated - (On Access Scanner OFF)
266240	Antivirus Current - (On Access Scanner ON)
266256	Antivirus Outdated - (On Access Scanner ON)
393216	Antivirus Current - (On-Access Scanner OFF)
393232	Antivirus Outdated - (On Access Scanner OFF)
393488	Antivirus Outdated - (On Access Scanner OFF)
397312	Antivirus Current - (On Access Scanner ON)
397328	Antivirus Outdated - (On Access Scanner ON)
397584	Antivirus Outdated - (On Access Scanner ON)

billmoller · ‎10-09-2019

@meanoldmanning, yes, removed ALL McAfee products with the tool...

SWISS · ‎10-09-2019

W10, 1903 PRO VL, German, All Updates until (except) 10/2019 from WSUS
get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2F
                           AB48962E3}"
displayName              : McAfee Endpoint Security
instanceGuid             : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Wed, 09 Oct 2019 08:06:05 GMT
PSComputerName           : W10INDIA1201

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA1
                           32C1ACF46}"
displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 393472
timestamp                : Thu, 19 Sep 2019 16:17:47 GMT
PSComputerName           : W10INDIA1201

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89AF6F535B2C}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : W10INDIA1201
__NAMESPACE              : ROOT\securitycenter2
__PATH                   : \\W10INDIA1201\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{9D4501E6-72F6-2877-C789-89A
                           F6F535B2C}"
displayName              : McAfee Endpoint Security
instanceGuid             : {9D4501E6-72F6-2877-C789-89AF6F535B2C}
pathToSignedProductExe   : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState             : 397312
timestamp                : Wed, 14 Aug 2019 09:12:05 GMT

meanoldmanning · ‎10-09-2019

So three things I've noticed now:

Clean install and debug logging enabled - success

Running that script and then doing a clean install (though not enabling debugging) - success

Update install, debug logging enabled or not - no success

Michael

billmoller · ‎10-09-2019

@SWISS, is yours working now? Your output looks like mine with duplicate ENS entries, but both have productState 397312 (like mine).

Also, I noticed that after the initial reboot, ENS creates the duplicate WMI entry (checked on another machine after installing the October update, but before reboot and I had only two providers, WDA and ENS. After reboot, a new ENS provider is added.)

@meanoldmanning:

First, I've updated my previous posts re: 343232... it was 393232... (disregard 343232).

Based on the list of productStates, 393232 indicates AV out of date, and on-access scan off.

I keep having a sneaking suspicion that this is still related to the ENS providers listed in WMI, and WSC potentially receiving a duplicate/errant ENS result (with incorrect productState) from WMI, and basing its decision (to keep WDA on and indicate ENS is OFF) on that...

I really think you should try to clear your providers, but then again, I'm hoping that doesn't fix the issue because there's no way I'm going to run around to all my client computers and manually clear providers...

Back to what I said almost forever ago, ENS really shouldn't be making any duplicate entries in the AV providers DB...

Re: Windows Defender problem reported by MICROSOFT

Re: Windows Defender problem reported by MICROSOFT

Re: Windows Defender problem reported by MICROSOFT

Re: Windows Defender problem reported by MICROSOFT

Re: Windows Defender problem reported by MICROSOFT

Re: Windows Defender problem reported by MICROSOFT

Re: Windows Defender problem reported by MICROSOFT

W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Re: Windows Defender problem reported by MICROSOFT

Re: W10, 1903, German, ENS 10.6 OCTOBER installed, WMI Report as wished

Community Help Hub

Join the Community