After Win Updates KB5025221 or KB5026361 Problems with Endpoint Antivirus / Policies not working

[MauriceModV 2]

Hi,

we encounter different issues after installing KB5025221 or KB5026361 on a few machines with Eset Endpoint Antivirus.

1) You can't open attachments in Outlook from external domains
2) You can't copy folders with files on fileshares

While testing different things I saw, that on these machines one or all policies don't work. First of all you shoudn't be able to open the eset configuraton without password and different settings aren't set correctly, while some other settings are still ok.

At the moment the only way to resolve the problems is to remove Eset or remove the Win Updates. I've tried to reinstall Eset, do repairs like sfc and so on but no luck yet.

Any chance to force a repair or load the correct policies on these machines? Any idea?

Greetings
Maurice

[Marcos 4,718]

Couldn't it be that Defender (msmpeng.exe) is running? Please provide logs collected with ESET Log Collector.

[itman 1,543]

45 minutes ago, MauriceModV said:

we encounter different issues after installing KB5025221 or KB502636

Search the web on reported issues with either update. There are numerous issues with both updates.

[MauriceModV 2]

Some Addition: I'm not 100% sure if its related to policy... and in some rare moments the attachment of the mail opens if you wait for a few minutes or a few files are still copied on the file share. In the other cases Outlook stops responding and the file transfer window keeps at 0kb transfered.

Windows Defender is not running.

I have the logs, but no support case open atm, so where to send the log files?

[MauriceModV 2]

10 minutes ago, itman said:

Search the web on reported issues with either update. There are numerous issues with both updates.

I Know, but i haven't found other people having issues with folder/file copy or with eset antivirus.

It is either Win or Eset.

To be clear, we still have more maschines without any problem.

[LesRMed 17]

2 hours ago, MauriceModV said:

I have the logs, but no support case open atm, so where to send the log files?

You can upload the logs here. Only ESET staff can access them.

[MauriceModV 2]

Ok, so here is are the log files. eea_logs.zip

[Marcos 4,718]

Most likely it's a known issue caused by KB5025221 which is described here:

https://support.microsoft.com/en-us/topic/april-11-2023-kb5025221-os-builds-19042-2846-19044-2846-and-19045-2846-b00c3356-baac-4a41-8342-7f97ec83445a

Only 32-bit applications compiled with the   LARGEADDRESSAWARE linker switch should be affected. According to the KB the issue should concern only business users using 32-bit Office. 64-bit version is not affected.

[MauriceModV 2]

Sorry, that is not helping, everything is on 64bit.

[LesRMed 17]

You might want to verify that 64 bit Office is installed. From what I've seen, 32 bit is the default version that's installed unless you specify 64 bit. You can verify it by opening up an Office product, say Word, click on File-->Account and then click About Word (or Excel or whatever you opened). The top line will show if you're running 32 or 64 bit.

[MauriceModV 2]

Everything is on 64bit, I double checked it.

[itman 1,543]

On 5/24/2023 at 10:09 AM, MauriceModV said:

You can't copy folders with files on fileshares

If the source app for the copy activities was 32 bit, it would be affected by this Win Update issue;

Quote

Microsoft says some 32-bit applications are impacted by recurring failures when saving and copying files across multiple Windows versions (especially when copying to network shares).

The intermittent issue only affects apps that are large address aware and are also using the CopyFile API on Windows 11 21H2 and 22H2 (after installing KB5023774 or later issued updates) or Windows 10 21H2 and 22H2 (after installing KB5023773 or newer updates).

"Windows devices are more likely to be affected by this issue when using some commercial/enterprise security software which uses extended file attributes," Microsoft said.

According to Redmond, there have been no reports of File Explorer's file copying functionality being affected; however, the CopyFile API used within specific applications may be impacted.

Microsoft Office apps like Word and Excel are susceptible to this problem only when utilizing 32-bit versions, with impacted users potentially receiving "Document not saved" error messages.

This known issue is unlikely to be encountered by consumers using Windows devices in personal or non-managed commercial settings.

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-issue-causes-file-copying-saving-failures/

Edited May 25 by itman

[MauriceModV 2]

16 hours ago, itman said:

If the source app for the copy activities was 32 bit, it would be affected by this Win Update issue;

We are talking about basic windows explorer on Win10 64bit - copy & paste a folder with files in it. Or in the other case Office 365 in 64bit and opening an attached pdf from external domains, mails from the own domain have no issues.
It works either without Eset Antivirus or one of the Win Updates installed. There is no doubt Eset has some interaction with these Updates in our environment.

Meanwhile I have done a clean new installation on one of the PCs with these issue. Everything worked fine until I've installed Eset. 🤔🙁
On the Images you can see there is not much stuff installed and the WinUpdates aren't listed under updates, I think they are part of the installation, the image was downloaded yesterday.

[itman 1,543]

6 hours ago, MauriceModV said:

We are talking about basic windows explorer on Win10 64bit - copy & paste a folder with files in it.

Per Microsoft;

Quote

According to Redmond, there have been no reports of File Explorer's file copying functionality being affected

As such, we can assume the issue is related to Eset. However, you are the only one to date that has reported the problem.

Have you opened an Eset support request on the issue?

[itman 1,543]

Here's the latest on this issue:

Quote

Microsoft has already fixed the issue on Windows 10 and Windows 11 21H2 via Known Issue Rollback (KIR), a Windows capability designed to revert buggy non-security fixes pushed through Windows Update.

Windows admins must install and configure a KIR Group Policy on all affected enterprise-managed devices to resolve these file transfer and saving problems.

You can download the Group Policies by clicking the links below:

• KB5023774 Known Issue Rollback — Windows 11, version 21H2
• KB5023773 Known Issue Rollback — Windows 10 21H2/22H2

After installing, the Group Policy can be found under Computer Configuration -> Administrative Templates. To deploy the Known Issue Rollback, you must go to the Local Computer Policy or the Domain policy on your domain controller using the Group Policy Editor to choose the Windows version you want to target.

You can find more information on deploying and configuring KIR Group Policies on Microsoft's support website.

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-known-issue-rollback-auto-fixes-update-bugs/

Edited May 26 by itman

[admMaciej 2]

Hi,

a similar problem with copying folders and files appeared in our company.
The solution turned out to be that Windows Defender was enabled even though ESET was installed. Disabling Windows Defender in the registry solved the mentioned problem.

[MauriceModV 2]

Sorry for the late reply, had to verify on more than 1 PC.

At first, yes it was the active Defender! (in conjunction with the security update and Eset)
Typically ESET deactivates the Defender on installation and everything is fine, I don't know why and I can't tell atm for sure which case is correct:
- Defender was still running on these few PCs, never had a Problem until the Security Update changed something
- Defender was not runnung but the Security Update activates it for whatever reason, bug, ...

I'm not done fixing all PCs, maybe there is one PC left to find out which case is correct.

Thanks to all!

[Marcos 4,718]

30 minutes ago, MauriceModV said:

At first, yes it was the active Defender! (in conjunction with the security update and Eset)
Typically ESET deactivates the Defender on installation and everything is fine, I don't know why and I can't tell atm for sure which case is correct:

To put this right, ESET doesn't deactivate Defender. It's Windows itself that deactivates / reactivates Defender when a 3rd party AV registers / unregisters from the Windows Security Center.

[MauriceModV 2]

Yeah sorry, wrong terminology, I should have wrote: Defender gets deactivated on Eset installation.

[itman 1,543]

7 hours ago, MauriceModV said:

-Defender was still running on these few PCs, never had a Problem until the Security Update changed something
- Defender was not runnung but the Security Update activates it for whatever reason, bug, ...

This is a strange one in that this issue hasn't been reported by anyone using Eset consumer product versions. That is;

On 5/24/2023 at 10:09 AM, MauriceModV said:

1) You can't open attachments in Outlook from external domains
2) You can't copy folders with files on fileshares

On the other hand, the above activity is not typical for Win non-commercial users.

In any case, permanently disabling Microsoft Defender is not the solution here. In a normal third party AV solution installation, MD functions as the backup AV solution in the event the third party AV solution malfunctions; is disabled or uninstalled by malware, etc.. When any of the previous occur, MD will auto enable as the active real-time AV solution. The only time MD should be running concurrently in "active" mode with a third party AV solution in Win 10 is if the solution is not deploying a legit Win 10 ELAM driver.

Win 11 appears to be a different story in that Microsoft will in cases auto load the MD engine at system startup time in "passive" mode. That is the third party AV solution is the active real-time solution.

Edited May 31 by itman