cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Defender Service activated after Upgrade from 10.5.4

We see the issue that after an upgrade from ENS Threat Prevention 10.5.4 to 10.6.1 machines get Windows Defender service activated - which end up running two scan engines in parallel. This happen not on all machines(server) it's randomized. Primary we have an issue with Windows 2016 servers. As the impact get visible for us not right after the upgrade (the services will be activated after the next reboot) we have now a lot of server upgraded (no reboot needed from McAfee). And those server get faulty after the next reboot - as the Windows defender kick in. Reboot could be weeks or month later e.g. after a Microsoft patch. So we are in a big challenge to identify upfront which server might get faulty. Does someone can describe in detail what happen when a Windows 2016 server get an upgrade from 10.5.4 to 10.6.1 ? What does McAfee upgrade (uninstall & install) process triggers ? Which features get enabled on a Windows server 2016 ? Is there a best practice from McAfee how deal with Windows Defender ?
6 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Windows Defender Service activated after Upgrade from 10.5.4

Please refer to the ENS FAQ's:

KB86704

Why does Endpoint Security reinstall Windows Defender during an upgrade?
To ensure continued protection, Endpoint Security reinstalls Windows Defender if it is not present on the system and if Endpoint Security is uninstalled. When you perform a major upgrade of Endpoint Security, for example, from 10.5.x to 10.6.x, Endpoint Security uninstalls 10.5.x and then installs 10.6.x. The uninstall of Endpoint Security triggers the action to reinstall Windows Defender if it is not present on the system. During the Endpoint Security install, Windows Defender is disabled, but not uninstalled. If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of Endpoint Security.

 

The additional challenge with Win Server 2016 is that we cannot disable Windows Defender on these machines. This is noted in the supported platforms KB - KB82761:

ENS does not disable Windows Defender on Windows Server 2016. This fact could lead to performance issues, but this possibility has not been confirmed. The best practice is to run a single real-time anti-virus solution. For updates to this issue and for instructions to manually disable Windows Defender using PowerShell, see known issue 1149046 in KB82450.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Windows Defender Service activated after Upgrade from 10.5.4

thx chealey for your quick reply

But I know this and had read this befor at the community & knowledgebase - it's a generic answer and doesn't help us further.

ENS should (in theory) deactivate Windows Defender during the install process.

And even during a major upgrade - as this is in fact an uninstall & install.

BUT in praxis it show up that Windows Defender is activated and running.

So something went wrong at the install - unfortunately the install process doesn't report back this "failure". So you might end up with a big surprise after the next server reboot. Running two malware engines ...

I need to repeat my question ...

Does someone can describe in detail what happen when a Windows 2016 server get an upgrade from 10.5.4 to 10.6.1 ?

What does McAfee upgrade (uninstall & install) process triggers ?

Which features get enabled on a Windows server 2016 ?

Is there a best practice from McAfee how deal with Windows Defender ?

...

Can be the success or failure of the ENS installation be seen in detail at some LOG files ?

looking forward to read more details

 

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Windows Defender Service activated after Upgrade from 10.5.4

Yes, ENS should and does deactivate Windows Defender during the install process. Except on Windows 2016 Servers.

During a major update, what happens is the ENS installation of the older version is removed and the new version is freshly installed. This in turn causes the Windows Defender to be reactivated or reinstalled if removed and upon the installation sequence of the new version, it's disabled again (unless it's a 2016 Server). The feature which gets enabled is the Windows Defender Feature. The best practice on how to deal with the Windows Defender on a Windows 2016 Server is mentioned in my previous response (see the last part regarding the powershell script). The success/ failure of the ENS installation can be seen in the Windows Event Log or in the ENS Installation logs which can be found in C:\Windows\Temp\McAfeeLogs (if deployed via ePO) or %temp%/Mcafeelogs (if deployed locally). You may have also chosen to redirect those logs.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Windows Defender Service activated after Upgrade from 10.5.4

thx chealey for the additional info.

We will test on our Windows 2016 servers once more how it comes to this situation - runnign two scan engines at the same time. As I still don't fully understand what McAfee is doing during the uninstall process on a Windows 2016 servers we need to do further tests.

If I have a Windows 2016 server - Windows Defender Feature is NOT enabled - no Defender services are running or at least stopped and startup type is disabled. And if I install ENS 10.5.4 and later on uninstall this vesion - will this change anything on my Windows Defender settings ?

 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Windows Defender Service activated after Upgrade from 10.5.4

@User72219051 McAfee does not modify any Windows Defender settings nor are we the ones who actively disable Windows Defender once installed, as is agreed between us and Microsoft.

Beginning with Windows 10, version 1703, Microsoft introduced a new Windows Defender Security Center application that brings together common Windows security features in one application. With this release, Microsoft increased the scope of the application to also show information from third-party anti-virus and firewall applications.

So, the Windows Security Center is able to detect when another AV software, like McAfee, is running, and will auto-self-disable in deference to McAfee being present. This occurs automatically through Windows Action Center's integration with Microsoft WMI database service status information without the need for McAfee to send any signals to disable ENS. For additional information see KB89921.

If you need assistance confirming the status of Windows Defender as disabled after installing ENS, you can review KB88214.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Windows Defender Service activated after Upgrade from 10.5.4

Hello Jess Arman .. thx for the feedback.
In your feedback you mention only Windows 10 - is the whole topic also valid for Windows Server 2016 ? I'm talking only about Windows Server 2016. So I need a solution for Server 2016.
I setup a fresh Windows 2016 server and deaktivate any Defender Feature - no Defender Service running at all. And even no Defender Service with startup type "manual". After that I installed MA Agent 5.6.0. and ENS 10.5.4. Still nothign changed at Windows Defender. Later on I initiated a ENS 10.6.1 deployment from our ePO. End suprise suprise the Windows Feature Defender is now activated and running 😞
Can you explain WHY does this happen ? .. it defintiv look like that McAfee triggers/initate this change on a Windows Feature ...
Looking forward to hear from you.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator