Jump to content

JozefG

ESET Staff
  • Posts

    65
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by JozefG

  1. Yesterday new Security Center integration module: 1029 was released to pre-release channel. Can you try this module and see if it fixes your issue? There were some timing related issues combined with possible long initialization inside WSC fixed. There might be slight chance of Defender starting even with all these fixes caused by long initialization in WSC itself.
  2. @itman@VanBuran would you be interested in testing module that should hopefully fix this issue?
  3. Not this again You say both working correctly I see Defender being the active one according to logs. Which means both realtime protections are running. From our logs I can see that once the wscsvc is running we try to update AV state to On we get E_PENDING results from AV API. After that we find out, through WSC public API, that we are unregistered(!!!) so we try to register and get E_PENDING again. Next we try to recover from that, but seems that there is some race condition which can be fixed rather easily. But again we get E_PENDING error for status update. Real question is why do we find ourselves unregistered after some reboots as we definitely do not unregister unless it is needed/requested e.g. full uninstall. Possible cause could be that WSC cannot get some data.
  4. According to logs last attempt was correct and we should be both on. Is it like that? There is visible one reporting of Off state from today morning. It seems you started logging after it happened. Off is usually tied with disabling of RTFS in advanced setup or if the license is expired and there is outdated detection engine. Please turn on this logging and try to reproduce it after it is reproduced turn it off and collect via LogCollector.
  5. @davidovitch Note that Windows Security Center service is delayed start service. Until it starts we cannot report anything as there would be bunch of errors. Can you please share screenshot of such alert?
  6. @jfksdt45245 Please if you are able to reproduce the issue continue according to @Marcos response. Those logs could tell us closely what is happening. Also that registry key should not be issue as we use dedicated private Windows API.
  7. TLDR; No. We are required by Microsoft to communicate with WSC in order to be an antimalware provider.
  8. @FRiC Can you please put machine to normal state and create ETL log from boot until the issue manifests? Do you happen to have some ESMC policy sent to application that could disable RTFS? Also it seems that you have Defender disabled via GPO(not critical issue). Edit: send please ELC log so I can see event logs
  9. @FRiC Something is really weird going on here. There is just too many ETL logs. Also according to Application event log 10/28/2020 12:28:58 PM The Windows Security Center Service has started. ... 10/28/2020 12:31:30 PM The Windows Security Center Service has stopped. 10/28/2020 12:34:38 PM The Windows Security Center Service has started. 10/28/2020 12:34:38 PM Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_ON. 10/28/2020 12:34:40 PM Updated ESET Firewall status successfully to SECURITY_PRODUCT_STATE_ON. 10/28/2020 12:43:23 PM The Windows Security Center Service has stopped. 10/28/2020 12:47:20 PM The Windows Security Center Service has started. 10/28/2020 12:47:21 PM Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_ON. 10/28/2020 12:47:22 PM Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_OFF. 10/28/2020 12:47:22 PM Updated ESET Firewall status successfully to SECURITY_PRODUCT_STATE_ON. 10/28/2020 1:26:24 PM The Windows Security Center Service has started. 10/28/2020 1:26:24 PM Updated ESET Firewall status successfully to SECURITY_PRODUCT_STATE_ON. 10/28/2020 1:26:24 PM Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_ON. according to system event log there seems to be reboots triggered 10/28/2020 12:25:53 PM The process C:\Windows\System32\RuntimeBroker.exe (RMP01) has initiated the restart of computer RMP01 on behalf of user RMP01\itp for the following reason: Other (Unplanned) Reason Code: 0x0 Shutdown Type: restart Comment: 10/28/2020 12:31:22 PM The process C:\Windows\System32\RuntimeBroker.exe (RMP01) has initiated the restart of computer RMP01 on behalf of user RMP01\itp for the following reason: Other (Unplanned) Reason Code: 0x0 Shutdown Type: restart Comment: Is the machine rebooting by itself?
  10. @FRiC it is either display issue or there is something happening with Windows Security Center service (wscsvc). It is the source of data for UI, hard to say what could be the cause of issue since Firewall and Manage providers seems to get the data. You can try if manual change of RTFS state in our GUI will update it. Also can I ask you for ELC log? I might want to take a deeper look into this issue
  11. @FRiC according to the log we tried to update status for AV provider and we got this HRESULT 0x8000000a(E_PENDING). For us this means our request was queued by wscsvc and it will be handled. Firewall updates are working correctly. However in your case it looks like wscsvc has some issue with too many requests or something. IIRC this E_PENDING is usually seen around wscsvc start.
  12. @FRiC please provide ETL logs created by In case of default installation it should be present in C:\ProgramData\ESET\ESET Security\Diagnostics folder.
  13. @FRiC Please make sure you have latest Security Center integration module 1026.1 present. Can you also post screenshot of Manage providers in WSC UI?
  14. You can enable it in Advanced setup accessible by F5. Logs will be present in C:\ProgramData\ESET\ESET Security\Diagnostics after you stop logging. Is the problem visible even after module update and reboot?
  15. @Pepestift If the problem still persists please turn on Enable Kernel advanced logging setting. Run update or reboot. Note that Security center service has delayed start so let it sit for a while. Turn off logging and provide ETL logs from Diagnostics folder. @itman there was new Security Center integration module released Tuesday afternoon to all channels. It is possible that you got it after installation of 14.0.21.0
  16. @Page42 Is the problem still visible? If so please turn on Enable Kernel advanced logging setting. Run update or reboot. Note that Security center service has delayed start so let it sit for a while. Turn off logging and provide ETL logs from Diagnostics folder.
  17. @itman Was there any OS updates waiting for restart? What version of Security center integration module did you have at the time of upgrade?
  18. @rbkaiser Microsoft moved Startup settings under See more recovery options.
  19. @taquionbcn can you please check if parent registry key Av and Fw have correct permissions? Can you also try to enable inheritance?
  20. According to provided PML we know what causes this access denied. It is wscsvc failing to open these registry keys on read/write disposition HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av\{885D845F-AF19-0124-FECE-FFF49D00F440} HKLM\SOFTWARE\Microsoft\Security Center\Provider\Fw\{B066057A-E576-007C-D591-56C163D3B33B} @taquionbcn can you please check the permissions for these registry keys? Both of these keys should inherit permissions from Av and Fw keys respectively. On my virtual machine it looks like this for Av and similarly for Fw.
  21. When you click on the switcher there is a dialog where you choose if you want to pause it for some time this way it should always get to Snoozed state. Only way how to get Defender to kick in is if you uncheck Enable Real-time file system protection in Advanced setup. Either way if one of those actions is reflected in Windows Security Center UI, there might be a possible workaround around this error.
  22. @itman Do you also have issues with integration into Windows Security Center? Does your ESET Event log contain any errors regarding Windows Security Center? If so please provide aligned Advanced logs and Process Monitor log.
  23. That should not be necessary to reinstall whole operating system. Did you try to change the state of Real-time file system protection? If the state changes in Security Center UI like on image below it means we can do something in Security Center integration module to workaround this error.
  24. @itman according to those screenshots it looks like everything is fine. Meaning that we are registered and active provider, but the system is consistently returning ACCESS_DENIED.
  25. As I am looking at your images it seems that it works, but we are getting that error. That is really strange. Go to Setup -> Computer Protection -> click on the switcher next to Real-time file system protection and check if it gets updated inside Windows Security Center UI.
×
×
  • Create New...