No active antivirus provider

[FRiC 9]

I noticed today that some of our computers are showing no virus provider in Windows Security. EES is current 7.3.2041.0 and there's nothing obvious in ESMC or in the logs.

It seems random since all of our computers are domain joined Windows 10, Version 2004 and there doesn't seem to be anything special about the ones that are showing this warning. Anyone seeing anything like this?

Thanks.

[JozefG 9]

@FRiC Please make sure you have latest Security Center integration module 1026.1 present.

Can you also post screenshot of Manage providers in WSC UI?

[FRiC 9]

Hi, it appears integration module is at 1026.1. Security providers says ESET Security is turned off. I tried restarting some of the computers experiencing this issue and it seems to come and go randomly. I'll check on more computers.

[Marcos 5,074]

There's something fishy going on. Last update on Oct 28, 2563?

Please set a correct system date and reboot the machine. You may get a notification in gui about outdated modules then which should fix automatically after the next module update.

[JozefG 9]

@FRiC please provide ETL logs created by

In case of default installation it should be present in C:\ProgramData\ESET\ESET Security\Diagnostics folder.

[FRiC 9]

@Marcos Yeah, we're based in Southeast Asia and it's Buddhist year 2563 here. The date format is set by regional format and if I change the format to English (US) the date automatically changes from 28/10/2563 to 10/28/2020. Just to be sure I tried changing regional format but the problem persists.

@JozefG ETL files attached. Thanks.

ekrn.zip

[JozefG 9]

@FRiC according to the log we tried to update status for AV provider and we got this HRESULT 0x8000000a(E_PENDING).

For us this means our request was queued by wscsvc and it will be handled.

Firewall updates are working correctly.

However in your case it looks like wscsvc has some issue with too many requests or something.

IIRC this E_PENDING is usually seen around wscsvc start.

 

[FRiC 9]

@JozefG Do you mean it's just a display issue in Windows Security Center? EES seems to be working fine otherwise. I would've never noticed the issue if I had not sat down at a user's computer on a completely unrelated issue and happened to see the red cross on the WSC tray icon.

[JozefG 9]

@FRiC it is either display issue or there is something happening with Windows Security Center service (wscsvc).

It is the source of data for UI, hard to say what could be the cause of issue since Firewall and Manage providers seems to get the data. You can try if manual change of RTFS state in our GUI will update it.

Also can I ask you for ELC log? I might want to take a deeper look into this issue

[FRiC 9]

@JozefG Hi, the ESET Log Collector log is over 100 MB so I've uploaded here. If there's an alternate file transfer site I should use please let me know. Thanks.

[JozefG 9]

@FRiC Something is really weird going on here. There is just too many ETL logs.

Also according to Application event log

10/28/2020 12:28:58 PM  The Windows Security Center Service has started.
...
10/28/2020 12:31:30 PM  The Windows Security Center Service has stopped.
10/28/2020 12:34:38 PM  The Windows Security Center Service has started.
10/28/2020 12:34:38 PM  Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_ON.
10/28/2020 12:34:40 PM  Updated ESET Firewall status successfully to SECURITY_PRODUCT_STATE_ON.
10/28/2020 12:43:23 PM  The Windows Security Center Service has stopped.
10/28/2020 12:47:20 PM  The Windows Security Center Service has started.
10/28/2020 12:47:21 PM  Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_ON.
10/28/2020 12:47:22 PM  Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_OFF.
10/28/2020 12:47:22 PM  Updated ESET Firewall status successfully to SECURITY_PRODUCT_STATE_ON.
10/28/2020  1:26:24 PM  The Windows Security Center Service has started.
10/28/2020  1:26:24 PM  Updated ESET Firewall status successfully to SECURITY_PRODUCT_STATE_ON.
10/28/2020  1:26:24 PM  Updated ESET Security status successfully to SECURITY_PRODUCT_STATE_ON.

according to system event log there seems to be reboots triggered

10/28/2020 12:25:53 PM The process C:\Windows\System32\RuntimeBroker.exe (RMP01) has initiated the restart of computer RMP01 on behalf of user RMP01\itp for the following reason: Other (Unplanned)
 Reason Code: 0x0
 Shutdown Type: restart
 Comment: 
10/28/2020 12:31:22 PM The process C:\Windows\System32\RuntimeBroker.exe (RMP01) has initiated the restart of computer RMP01 on behalf of user RMP01\itp for the following reason: Other (Unplanned)
 Reason Code: 0x0
 Shutdown Type: restart
 Comment: 

Is the machine rebooting by itself?

[FRiC 9]

Sorry, the machine wasn't rebooting by itself. I was rebooting it manually to see if the problem would go away when I changed settings (regional format mentioned above). The computer also got shut down at the end of the work day. I could run the log collector on another computer if necessary.

[JozefG 9]

@FRiC Can you please put machine to normal state and create ETL log from boot until the issue manifests?

Do you happen to have some ESMC policy sent to application that could disable RTFS?

Also it seems that you have Defender disabled via GPO(not critical issue).

Edit: send please ELC log so I can see event logs

Edited October 29, 2020 by JozefG

[FRiC 9]

In case anyone runs into this problem in the future. The reason was that Windows Defender Antivirus was disabled by GPO. It had always been disabled so maybe something in Windows 10 changed recently. Changing the policy to Not Configured fixed everything.