Jump to content

Recommended Posts

10 minutes ago, Marcos said:

Are you getting warnings that registration to Windows Security Center failed in the event log?

Thanks for the reply. Where and for what must I look?

Link to comment
Share on other sites

  • Administrators

Please carry on as follows:
- enable advanced logging under Help and support -> Details for technical support
- reboot the machine
- disable logging

If the issue occurred, collect logs with ESET Log Collector and upload the generated archive here.

Link to comment
Share on other sites

I am encountering similar issues of conflict between Windows Defender and ESET lately, since a recent Windows update which I believe made Defender more intrusive/difficult to disable permanently...

 

https://www.techradar.com/news/microsoft-explains-why-it-wont-let-you-disable-this-annoying-windows-10-feature-any-more

 

Windows Security Center often showing Defender is enabled and ESET is disabled, even though ESET is properly active.

 

VanBuran, you should run "msconfig" and see if Defender is launching at startup, then uncheck it. It seems to be the root of the problem.

 

It seemed to have fixed the issues for me for the last few days, but today, it happened again even though Defender was disabled from startup. It's becoming very annoying, I hope the ESET will look into this.

Link to comment
Share on other sites

34 minutes ago, jfksdt45245 said:

Windows Security Center often showing Defender is enabled and ESET is disabled, even though ESET is properly active.

Anyone having this issue.

Open Win Task Manager or Process Explorer if you previously downloaded it. Verify that MsMpEng.exe is running. If it is not, then the issue is Windows Security Center is bogus showing WD is active when it is not. If MsMpEng.exe is running, then both WD and Eset real-time solutions are running concurrently.

Link to comment
Share on other sites

  • ESET Staff

@jfksdt45245 Please if you are able to reproduce the issue continue according to @Marcos response.

Those logs could tell us closely what is happening.

Also that registry key should not be issue as we use dedicated private Windows API.

Link to comment
Share on other sites

jfksdt45245 It seemed to have fixed the issues for me for the last few days, but today, it happened again even though Defender was disabled from startup. It's becoming very annoying, I hope the ESET will look into this.

 

Yes, Windows Defender and Defender Firewall are set to run in msconfig.

Link to comment
Share on other sites

  • ESET Staff
1 hour ago, VanBuran said:

Herewith the log. Hope it helps

According to logs last attempt was correct and we should be both on. Is it like that?

There is visible one reporting of Off state from today morning. It seems you started logging after it happened.

Off is usually tied with disabling of RTFS in advanced setup or if the license is expired and there is outdated detection engine.

Please turn on this logging and try to reproduce it after it is reproduced turn it off and collect via LogCollector.

image.png

Link to comment
Share on other sites

  • ESET Staff
On 11/15/2020 at 5:32 AM, VanBuran said:

Had this today,there were no warnings on ESET or Defender all working correctly.

Not this again :( You say both working correctly I see Defender being the active one according to logs. Which means both realtime protections are running.

From our logs I can see that once the wscsvc is running we try to update AV state to On we get E_PENDING results from AV API. After that we find out, through WSC public API, that we are unregistered(!!!) so we try to register and get E_PENDING again. Next we try to recover from that, but seems that there is some race condition which can be fixed rather easily. But again we get E_PENDING error for status update.

Real question is why do we find ourselves unregistered after some reboots as we definitely do not unregister unless it is needed/requested e.g. full uninstall. Possible cause could be that WSC cannot get some data.

Link to comment
Share on other sites

4 hours ago, JozefG said:

Not this again :( You say both working correctly I see Defender being the active one according to logs. Which means both realtime protections are running.

I had something similiar to this happen yesterday morning. It is the first time this has happened when using Eset on Win 10; approx. 5 years.

Out of the blue and doing nothing out of the ordinary on the PC, I received an alert from Windows Security Center that there was a problem with real-time protection. Note this was sometime after system startup. Since I monitor registry run keys modification with Eset HIPS rules, I started receiving alerts from Win 10 in regards to setting up Win Defender in WSC;

Time;Application;Operation;Target;Action;Rule;Additional information
11/15/2020 11:17:49 AM;C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\MsMpEng.exe;Modify registry;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender;allowed;User rule: block modification of registry run keys;

which I allowed. Note that EIS Eset 14.0.22 is still fully functional with no issues per GUI home screen display. However, WSC says Eset real-time protection is off.

At this point, I rebooted the PC. Eset still shows it is fully functional with no issues. WSC still states Eset real-time protection is off and Windows Defender is active real-time solution.

A few minutes later, I recheck WCS real-time status again. Magically, Eset now shows as real-time solution and WD is turned off. Stranger yet, I check above registry key and no entry for MsMpEng.exe there. No issue with this since or like strange reset behavior through multiple system restarts.

My opinion - dump ver. 14 and revert back to latest ver. 13 release.

Edited by itman
Link to comment
Share on other sites

59 minutes ago, JozefG said:

@itman@VanBuran would you be interested in testing module that should hopefully fix this issue?

I will wait for a while and then get back to you on this.

What I posted previously just happened again. This time I let WD update itself and its definitions. I then rebooted. Then when I checked WSC real-time AV status, it was hosed in that nothing showed as real-time protection. However, I then received another Eset HIPS alert:

Time;Application;Operation;Target;Action;Rule;Additional information
11/16/2020 10:23:41 AM;C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2001.10-0\MsMpEng.exe;Start new application;C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2001.10-0\MpCmdRun.exe;allowed;User rule: block C:\ProgramData executables;

which I allowed to run. Appears this also was a registry modification. Note that I monitor C:\ProgramData\* program startup activity via Eset HIPS. "My gut is telling me" this MpCmdRun registry activity is the key to getting this straightened out. After this ran, WCS now is back to correct status with Eset real-time protection on and WD off.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...