Copy-Paste Issue: ESET Conflict

[George Natsoulis 0]

Unfortunately, after disabling MD using the script and restarting the computer, the issue still persists. I have not received any response from the support team yet.

I hope to receive a response soon.

[itman 1,667]

What are you using to copy files? Win Explorer or are you running a script or something?

[George Natsoulis 0]

I am copying using Windows Explorer, but I also tried Terracopy without success.

[itman 1,667]

As a test, try this;

Quote

To copy files or folders faster, you can use the Ctrl + C keys to copy files and then press Ctrl + V keys to paste them to another location.

 

[George Natsoulis 0]

This is the usual method I use to copy a file, but just to anticipate, I have also tried using the mouse and Ctrl+C Ctrl+V.

[Marcos 5,088]

53 minutes ago, George Natsoulis said:

I have not received any response from the support team yet.

What's your ticket ID that you were supposed to receive in a confirmation email after opening the support ticket?

[George Natsoulis 0]

I have not received an automated response from the system with the ticket ID. Additionally, I was unable to upload a file larger than 20MB. I submitted the request through the website as well as through Outlook to the address esetgr.com.

[itman 1,667]

Below are some reasons calculating time required to copy files error appearing.

Since this issue is only occurring on a single device, it is possible there is a hard drive issue. As the below excerpt notes if the problem is due to installed AV solution, the copy operation usually fails. It might be that Eset real-time file scanning occurring first, just causes the issues to manifest first.

Quote

Possible Causes for Calculating the Time Required to Copy the Files

After analyzing user reports and technical references in detail, we concluded a list of possible reasons for this error. The calculating time required to copy files error can occur due to the following reasons:

• Corrupted storage device. It is the main reason for copying files stuck at calculating. If your internal hard drive/external media gets corrupted or damaged, then the calculating process of files will take much more time than needed. For the upcoming storage failure, we recommend you make a backup as soon as possible.
• MTP mode. According to user reports, the calculating time required to copy files error appears when copying mass files from an external drive to the local drive via an MTP USB Since the MTP mode is super slow, it will slow down the transferring process.
• Third-party anti-virus software. If your antivirus blocks the Windows system from accessing some files, then the copying process might fail and throw the error.

 

https://www.partitionwizard.com/partitionmanager/calculating-the-time-required-to-copy-the-files.html

Edited July 14, 2023 by itman

[Marcos 5,088]

Please supply me with a log requested by Microsoft and created as follows:

 1. Download latest Preview version from: https://aka.ms/Betamdeanalyzer / https://aka.ms/mdatpanalyzer
 2. Place the analyzer in local folder such as C:\MDE
 3. Extract contents to "C:\MDE\MDEClientAnalyzerPreview"
 4. From an elevated CMD prompt, run: "C:\MDE\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd -i "
 5. Run the analyzer for 3 mins when asked.
 6. When completed, please upload the file at "C:\MDE\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip".

[itman 1,667]

3 hours ago, Marcos said:

1. Download latest Preview version from: https://aka.ms/Betamdeanalyzer / https://aka.ms/mdatpanalyzer

Since this tool's purpose is to analyze Microsoft Defender Endpoint issues, should not MD be enabled again?

-EDIT- Also of note if PSExec or child processes from wmiprvse.exe are being blocked;

Quote

• For Windows devices, if you are running the analyzer directly on specific machines and not remotely via Live Response, then SysInternals PsExec.exe should be allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run cloud connectivity checks as Local System and emulate the behavior of the SENSE service.

Note

On Windows devices, if you use Attack Surface Reduction (ASR) rule Block process creations originating from PSExec and WMI commands, then may want to temporarily disable the rule or configure an exclusion to the ASR rule to allow the analyzer to run connectivity checks to cloud as expected.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-client-analyzer?view=o365-worldwide

Edited July 14, 2023 by itman

[George Natsoulis 0]

Thank you very much, everyone, for your efforts to assist me. I greatly appreciate it.

Before reaching out to you here for my issue, I did quite a bit of research on the internet. I came across a relevant article and other similar ones that highlighted the problem, particularly related to disk issues (especially when transferring files from a mobile phone to a computer). For this reason, I ran a disk check on both local drives of my computer and also performed an sfc /scannow in case there was an issue with any operating system files.

Both checks did not find any problems. Therefore, I focused on the antivirus and discovered that the issue stops when I disable the real-time scanning of ESET.

@Marcos, I'm not sure if what you asked me to do will be useful since MD is currently inactive. However, if you believe it will help us draw a conclusion, I will gladly do it.

Unfortunately (or fortunately), I won't be at the office over the weekend, so I will be able to check again from Monday onwards. If I manage to work remotely during the weekend, I will provide an update.

Once again, thank you very much for your time and your efforts to assist me.

[Marcos 5,088]

According to the logs you've provided recently, Defender was running:

Description, Path, Start, State, Status, File Description, Company
Microsoft Defender Antivirus Service, c:\programdata\microsoft\windows defender\platform\4.18.23050.5-0\msmpeng.exe, Automatic, Running, , Antimalware Service Executable, Microsoft Corporation

If you have managed to stop it and the issue still occurs, please generate a complete memory dump as per https://support.eset.com/en/kb380. MDEClientAnalyzerPreview won't be needed if Defender is not really running and the dump should reveal what's going on there.

[itman 1,667]

Appears this isn't an isolated incident. Same issue here: https://forum.eset.com/topic/36497-after-win-updates-kb5025221-or-kb5026361-problems-with-endpoint-antivirus-policies-not-working/?do=findComment&comment=168658 .

The common factor is the issue only manifests on Eset Endpoint installations; not on Eset consumer installations.

[itman 1,667]

On 7/12/2023 at 6:04 AM, George Natsoulis said:

There is no "Microsoft Defender Antivirus" on Local Group Policy Editor, instead, there is a Windows Security > Virus and threat protection which is not configured as you can see in the below image.

I am starting to believe this is the source of the issue; the Microsoft Defender Antivirus section missing from Group Policy.

Open an admin command prompt window and run;

DISM /Online /Cleanup-Image /RestoreHealth

Hopefully, this will restore the Microsoft Defender Antivirus entry in Group Policy.

[George Natsoulis 0]

Due to my own mistake, instead of searching for Microsoft Defender in the Group Policy Editor, I was searching for Windows Defender. Upon taking a second look, I found it, and indeed, it was set as "Not configured." I changed it to "Enabled" to see if it would make a difference, but unfortunately, nothing changed. Will I need to restart first for it to take effect?
Additionally, I wanted to mention that after the previous attempt with the script, I re-enabled MD using the second script available on GitHub, which activates MD again.

Edited July 14, 2023 by George Natsoulis

[itman 1,667]

On 7/12/2023 at 5:11 AM, Marcos said:

Please check if you have the "Turn off Microsoft Defender Antivirus" policy set to Not configured (Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus).

It must not be set to "Disabled".

No. MD in Group Policy must be set to Not Configured as @Marcos indicated previously. Do that and reboot the PC. 

Re-test to determine if the move-copy still exists. If the issue still exists, proceed as @Marcos instructed here: https://forum.eset.com/topic/36914-copy-paste-issue-eset-conflict/?do=findComment&comment=169135 to run MDE Client Analyzer Preview.

Edited July 14, 2023 by itman

[itman 1,667]

An additional comment here.

Forum postings about file copy issues when using Eset Endpoint track back to a May Windows Update. It was "supposedly" fixed in the June Windows Update;

Quote

Microsoft has addressed a known issue causing intermittent failures when saving and copying files on Windows 11 22H2 devices (especially when working with network shares).

This recurring issue only impacts Windows apps that are using the CopyFile API and are also large address aware, according to Redmond.

Microsoft says Windows devices are at a higher risk of being affected by this particular issue when using specific commercial or enterprise security software that utilizes extended file attributes.

No instances have been reported regarding file copying functionality impact within File Explorer; however, specific applications utilizing the CopyFile API may encounter issues.

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-11-issue-causing-copying-saving-failures/

My suspicion is the May Windows Update somehow "hosed" Eset Endpoint processing in regards to Win move-copy activities. Rather than continued diagnostic related activity for Eset to identify the problem, I would try this;

 Verify the following June Win Update has been installed. If not, install it;

Quote

Microsoft has addressed this issue with the KB5027231 Windows 11 cumulative update released today as part of this month's Patch Tuesday.

After the Win Update was installed, test if the previous move-copy file problems still exist. If problems still exist or if the Update was previously installed, proceed as follows;

1. Export your Eset settings if you have made changes from Eset default settings.

2. Uninstall Eset Endpoint.

3. Reboot the PC and verify that Microsoft Defender is registered as the active AV solution in Microsoft Security Center.

3. Reinstall Eset and Import Eset settings if previously Exported.

4. Verify that Eset Endpoint is now registered as the active AV solution in Microsoft Security Center.

Now test if the previous move-copy file problems still exist.

Edited July 15, 2023 by itman

[George Natsoulis 0]

Unfortunately, the Windows Update cannot be installed on our computer, as evident from the image below.

 

I followed your instructions and uninstalled the ESET Endpoint from the computer. The MD was successfully registered in the Microsoft Security Center. During that time, the copy-paste function was working normally. However, when I reinstalled the ESET Endpoint, the issue reappeared. Disabling the Media to scan (Local drives & Network drives) allows the file copying to function properly.

I believe I have encountered an impasse, and the only option at this point is to await the release of a Windows or ESET Endpoint update.

[George Natsoulis 0]

I would also like to mention that I am unable to contact support as my emails are being bounced back with the message "550-5.7.26 Unauthenticated email from mydomain.com is not accepted due to 550-5.7.26 domain's DMARC policy." Due to this issue, I had to send the email from Outlook instead of using the website's contact form. However, I have not received any response or even a delivery confirmation yet.

[Marcos 5,088]

I've tried to look up events / operations related to your forum email address gXXXXXXXXXs@aXXXXXXn.com but there weren't any in the last 30 days, ie. it looks like this email address was not used when creating a support ticket via https://go.eset.com/contact-support/.

Please install ESET Endpoint, reproduce the issue and generate a complete memory dump as per the instructions at https://support.eset.com/en/kb380. Based on the results of dump analysis, we  will ask for MDEClientAnalyzerPreview  if the dump shows that Defender is running.

[itman 1,667]

1 hour ago, George Natsoulis said:

Unfortunately, the Windows Update cannot be installed on our computer, as evident from the image below.

KB5027231 applies to Win 11 22H2 ver. which I assumed you had installed.

[George Natsoulis 0]

C:\Windows\System32>systeminfo

Host Name:                 ComputerName
OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22621 N/A Build 22621
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free

Yes, it is Windows 11 Pro 22H2. I couldn't find a reason why it can't receive this update either.

@Marcos  with the link you mentioned in your previous message, I managed to complete the request, and I received a delivery confirmation email. I haven't received a support ticket ID yet, but I believe they have received it and will be able to open it shortly.

[itman 1,667]

11 minutes ago, George Natsoulis said:

Yes, it is Windows 11 Pro 22H2. I couldn't find a reason why it can't receive this update either.

Did you check Win Update history to see if its already installed?

[George Natsoulis 0]

11 minutes ago, itman said:

Did you check Win Update history to see if its already installed?

Yes, there wasn't an update with this KB number.

Edited July 17, 2023 by George Natsoulis

[George Natsoulis 0]

18 hours ago, Marcos said:

I've tried to look up events / operations related to your forum email address gXXXXXXXXXs@aXXXXXXn.com but there weren't any in the last 30 days, ie. it looks like this email address was not used when creating a support ticket via https://go.eset.com/contact-support/.

Please install ESET Endpoint, reproduce the issue and generate a complete memory dump as per the instructions at https://support.eset.com/en/kb380. Based on the results of dump analysis, we  will ask for MDEClientAnalyzerPreview  if the dump shows that Defender is running.

I have the memory dump file, but it is enormous in size, and I don't think this is normal. The file is approximately 84GB; when I compressed it, it became around 3GB.

Could you please advise me on how to send it?