Antimalware Scan Interface (AMSI) integration has failed (Endpoint 11.0.2032.0)

[Carl Seiler 0]

After recently upgrading to 11.0.2032.0, one endpoint device on Windows 10 Pro 22h2 is reporting the message above in the ERA.

This is similar to the thread here:

Have repeatedly rebooted, including using shutdown -r -t 0

This is the only device with the issue currently.

[Marcos 5,079]

Unfortunately the root cause of the issue is unknown. I can only recommend raising a support ticket that should be escalated by your local ESET technical support to ESET HQ for investigation.

[Carl Seiler 0]

Thanks again, Marcos, for your prompt response.  I have opened a ticket.  I will wait for them to request logs and tell me the next steps.  Otherwise, if they make a suggestion that works, I will report back here what worked for us.

Cheers

[Carl Seiler 0]

OK, they suggested I toggle the AMSI setting off and back on on the endpoint device.  I wasn't able to do that, so they instructed me how to set the override mode on ERA.  I tried that, but was unable to get override mode to work.  Every time I clicked on the button, I would be told “Not authorized: The user account is not authorized to override policy settings. Log in as a different user or contact the administrator.”  I rebooted twice (even though I had rebooted many times before, and something about logging in as a local administrator on that machine seemed to wake up the AMSI even though I never got the Override policy to work and thus never got a chance to toggle the AMSI setting of and back on in the ESET GUI.

In the end, the tldr solution seemed to be to log in as local admin and reboot several times and log back in as local admin.

I realize this may not work for everyone, so the best bet is to follow Marcos' instructions and open a ticket, but if someone else runs into this issue, it is a rather non-destructive way to see if it works for you.