Copy-Paste Issue: ESET Conflict

[George Natsoulis 0]

Dear community,

I am experiencing an issue with copy-paste on a computer running Windows 11 Pro and ESET Endpoint Antivirus 10.0.2045.0. The copy process starts and stops for a significant amount of time at "Calculating Time Remaining." After extensive research, I tried disabling the Real-time file system protection for local drives and network drives, which immediately resolved the problem. Currently, I have them disabled as a workaround to allow my colleague to work on the computer.

Is there a logical explanation for this behavior?

sysInspector_07-07-2023_17-25-55.zip

[Marcos 5,105]

Does it happen also if you copy files locally and not to a network drive? What type of files do you copy? (multimedia, documents, exe/dll files, data files, etc.) What's the size of file that trigger the issue?

Disabling which of the scan-on events in the real-time protection setup make a difference?

Please carry on as follows:

1. Temporarily disable Protected service in the HIPS setup
2. Reboot the machine
3. Start logging with Procmon
4. Reproduce the issue
5. Stop logging
6. Save the log unfiltered and compress it
7. Collect logs with ESET Log Collector and upload the generated archive along with the Procmon log here.

[George Natsoulis 0]

11 minutes ago, Marcos said:

Does it happen also if you copy files locally and not to a network drive? What type of files do you copy? (multimedia, documents, exe/dll files, data files, etc.) What's the size of file that trigger the issue?

Disabling which of the scan-on events in the real-time protection setup make a difference?

Please carry on as follows:

1. Temporarily disable Protected service in the HIPS setup
2. Reboot the machine
3. Start logging with Procmon
4. Reproduce the issue
5. Stop logging
6. Save the log unfiltered and compress it
7. Collect logs with ESET Log Collector and upload the generated archive along with the Procmon log here.

I have attempted to perform copy operations both from the network and locally, but I encountered the same problem. Typically, on this computer, large files with the .sim extension are copied, which are derivatives of the STAR-CCM application by Siemens. However, even when I tried copying small text files of a few KB, I encountered the same issue.

I will gather the logs using Procmon and will provide an update shortly.

Thank you very much for your interest and your efforts to assist me.

[Marcos 5,105]

Does it make a difference if you temporarily exclude the SIM extension from scanning in the real-time protection setup?

[George Natsoulis 0]

I will give it a try, although I'm afraid it won't make a difference, as I mentioned before, I encounter the same issue even when attempting to copy a small text file.

Due to the ongoing tasks on the computer that I cannot interrupt at the moment, I will provide the logs tomorrow. Thank you once again.

[George Natsoulis 0]

Hello,

I followed the procedure you suggested and collected the required logs. I reproduced the issue by copying a small text file.

I have attached the logs and I am looking forward to receiving further information on how to address my problem.

Logfile.zip eea_logs.zip

[Marcos 5,105]

It appears that Windows Defender is running: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\MsMpEng.exe".

Is ESET registered in the Security Center as an AV provider?

It was querying file information about the file in the network share prior to ESET scanning it:

MsMpEng.exe    QueryStandardInformationFile    \\XXXXXXXXXXXX\IT Repository\crystaldiskinfo_portable.txt    SUCCESS    AllocationSize: 64, EndOfFile: 64, NumberOfLinks: 1, DeletePending: False, Directory: False    Microsoft Corporation    Antimalware Service Executable

 

[George Natsoulis 0]

It seems registered in the Windows Security Center.

Do I have to disable or tweak the Windows Defender to avoid this situation?

Edited July 12, 2023 by George Natsoulis

[Marcos 5,105]

I've noticed that you have HIPS disabled which deteriorates protection capabilities quite a lot. Is that because the issue goes away after disabling HIPS? Note that after re-enabling HIPS the machine will need to be restarted for the change to take effect.

Also I'd recommend enabling the LiveGrid Feedback system for maximum protection.

[George Natsoulis 0]

On 7/10/2023 at 3:03 PM, Marcos said:

Does it happen also if you copy files locally and not to a network drive? What type of files do you copy? (multimedia, documents, exe/dll files, data files, etc.) What's the size of file that trigger the issue?

Disabling which of the scan-on events in the real-time protection setup make a difference?

Please carry on as follows:

1. Temporarily disable Protected service in the HIPS setup
2. Reboot the machine
3. Start logging with Procmon
4. Reproduce the issue
5. Stop logging
6. Save the log unfiltered and compress it
7. Collect logs with ESET Log Collector and upload the generated archive along with the Procmon log here.

I have disabled HIPS after your instructions to take the logs from Procmon. After that, I enabled the HIPS again and restarted the machine normally.
Thank you for your suggestion to enable LiveGrid.

[Marcos 5,105]

Please check if you have the "Turn off Microsoft Defender Antivirus" policy set to Not configured (Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus).

It must not be set to "Disabled".

If that's not the case, please raise a support ticket. A technical support representative will instruct you how to proceed and provide a log from a Microsoft tool MDEClientAnalyzer which we need to supply to Microsoft for perusal.

[George Natsoulis 0]

There is no "Microsoft Defender Antivirus" on Local Group Policy Editor, instead, there is a Windows Security > Virus and threat protection which is not configured as you can see in the below image.

 

Should I have to raise a support ticket? Can you help me with the procedures because I have never done this before?

[Marcos 5,105]

Strange, I have it there. The machine is not connected to a domain.

To create a support ticket, use the built-in option:

[George Natsoulis 0]

Our machine is connected to a domain maybe this is why it does not have this option.
Thank you for being so helpful Marcos you are so valuable.

[itman 1,676]

On 7/10/2023 at 6:32 AM, George Natsoulis said:

I am experiencing an issue with copy-paste on a computer running Windows 11 Pro

There have been reports that Microsoft Defender's real-time engine will load at system startup and run concurrently with an installed third party AV solution on Win 11. This occurs regardless of if the AV is using a Microsoft cert, signed ELAM diver. Forum member @SeriousHoaxposted previously this is the case on his Win 11 installation. MD and Eset are both loaded and running.

[itman 1,676]

According to this article: https://www.makeuseof.com/permanently-disable-microsoft-defender-windows-11/ , MD's Tamper Protection must be disabled prior to disabling MD via Group Policy, registry modification, or command line options.

Edited July 12, 2023 by itman

[George Natsoulis 0]

Thank you @itman I will try to disable the Tamper Protection prior to disabling the MD and I let you know the results. I have already raised a support ticket so I am waiting for their reply too.
As I have explained earlier, I do not have the "Microsoft Defender Antivirus" option in the Group Policy Editor, so I guess I have to disable it through Regedit.
In any case, I will post here the outcome of all of my actions soon.

[itman 1,676]

Another article also states that in Win 11, MD can only be permanently disable by booting to Safe mode and changing applicable registry keys there.

Refer to this section "How to Disable Microsoft Defender Antivirus in Windows 11 Permanently?" in this article: https://woshub.com/disable-windows-defender-antivirus/ . Additionally, MD scheduled tasks also need to be disabled

Once MD has been disabled, verify that Win firewall service is running. I have seen some postings that state disabling MD can also disable the Win firewall.

Edited July 12, 2023 by itman

[itman 1,676]

An additional comment here.

It appears the only way MD Tamper Protection can be disabled in Win 11 is by accessing its setting in Security Center MD GUI. The problem is the setting is not accessible there due to Eset being shown at the active real-time protection. This leaves the only option available is the Safe mode method as shown in the above linked woshub.com article.

Or, this might work. Disable Eset real-time protection. Shortly thereafter, MD should be shown as active real-time protection in Security Center. Now you can disable the Tamper Protection setting, At this point you can proceed with the simpler reg. modification from the above linked www.makeuseof article;

Quote

In the Registry Editor windows, go to the address bar and paste the following path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender

Right-click and select New > DWORD (32-bit) Value.

`Click on the newly created DWORD (32-bit) Value and name it DisableAntiSpyware.

Double-click on the DisableAntiSpyware value and set the Value Data to 1. Keep the Base as Hexadecimal.

Close the Registry Editor and restart your system to apply changes.

Edited July 12, 2023 by itman

[SeriousHoax 84]

Disabling Microsoft Defender is not necessary. But one can also use Defender Control to do it. Has to disable Real-time and Tamper Protection first. So should be done before installing a third-party AV.

https://www.sordum.org/9480/defender-control-v2-1/

Another option can be is to use this script following the instruction:

https://github.com/TairikuOokami/Windows/blob/main/Microsoft Defender Disable.bat

Edited July 12, 2023 by SeriousHoax

[itman 1,676]

6 minutes ago, SeriousHoax said:

https://github.com/TairikuOokami/Windows/blob/main/Microsoft Defender Disable.bat

LiveGuard went spastic when this web page was displayed. It did four submissions of scripts shown there.

[SeriousHoax 84]

25 minutes ago, itman said:

LiveGuard went spastic when this web page was displayed. It did four submissions of scripts shown there.

It's normal as it's a script to disable Defender. It's detected by many AV products similar to Defender Control.

Edited July 12, 2023 by SeriousHoax

[itman 1,676]

2 hours ago, SeriousHoax said:

Disabling Microsoft Defender is not necessary.

in this instance it appears to be the only solution to the OP's issue.

First, refer to the first posting in this thread. Next is @Marcos comment in reference to the OP's log file submissions:

Quote

It was querying file information about the file in the network share prior to ESET scanning it:

MsMpEng.exe    QueryStandardInformationFile    \\XXXXXXXXXXXX\IT Repository\crystaldiskinfo_portable.txt    SUCCESS    AllocationSize: 64, EndOfFile: 64, NumberOfLinks: 1, DeletePending: False, Directory: False    Microsoft Corporation    Antimalware Service Executable

My take on this is MD's real-time protection must be interjecting itself when network share files are involved.

Edited July 12, 2023 by itman

[itman 1,676]

My above posting got me thinking about this "workaround" possibility. It would also involve temporarily disabling Eset real-time protection to have MD's settings manifest in Security Center.

Exclude file shares from being scanned in MD's real-time protection?

[George Natsoulis 0]

The issue persists even when copying files between local drives. I plan to try the suggested solutions within the day, and I am confident that we will achieve a favorable outcome.