Windows 10 not turning off Defender even though Emsi installed and active

[PoorlyPCNigel]

Two screen shots attached. This is on a customer system and I have the same behaviour on another machine too.

Both are Windows 10 Pro x64 running 1909.

[SeriousHoax]

I can confirm I faced this bug too.

[GT500]

Let me know if the following helps:

1. Open Emsisoft Anti-Malware.
2. Click on Settings.
3. Select Advanced from the menu at the top.
4. Disable Windows Security Center integration.
5. Wait a few seconds, and then turn Windows Security Center integration back on.
6. Restart your computer by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart to bypass Fast Startup.

[PoorlyPCNigel]

Situation the same after completing these steps, unfortunately.

[GT500]

I just tested this on Windows 10 x64 Pro 1909, and everything appears normal. Is the Windows Security Center showing Emsisoft Anti-Malware under Security Providers like in my second screenshot below?

 

 

[jedsiem]

The question is, if everybody has the "periodic scanning of Windows Defender" set to off.

The screenshot of @PoorlyPCNigel seems to lack EMSI as a registered security provider.

Looks more like a issue with Windows 10 than EMSI. It 's no seldom that an windows update which reacticates Windows Defender.

Or Microsoft Defender, as Microsoft is bundling more and more security features.

To completely deactivate Microsoft Defender manually is theses days not that easy.

 

 

[PoorlyPCNigel]

On 2/29/2020 at 8:31 AM, GT500 said:

I just tested this on Windows 10 x64 Pro 1909, and everything appears normal. Is the Windows Security Center showing Emsisoft Anti-Malware under Security Providers like in my second screenshot below?

Well spotted - Emsisoft isn't even reported as a security provider even though it is installed and active.

[GT500]

On 2/29/2020 at 6:36 AM, jedsiem said:

To completely deactivate Microsoft Defender manually is theses days not that easy.

It's actually easier than you might think. Windows Defender has an option to prevent tampering with its settings. Turn that option off, then use a third-party tool such as ShutUp10 to disable Windows Defender, and then restart the computer.

Note that it will probably get turned back on when you install the next "Feature Update" (2004 if I remember right).

 

22 hours ago, PoorlyPCNigel said:

Well spotted - Emsisoft isn't even reported as a security provider even though it is installed and active.

The option Windows Security Center integration in Emsisoft Anti-Malware's "Advanced" settings controls whether or not Emsisoft Anti-Malware is registered with the Security Center. If toggling that option off and back on doesn't help, then try turning it off, restarting Windows, and then turning it on again.

[PoorlyPCNigel]

1 hour ago, GT500 said:

The option Windows Security Center integration in Emsisoft Anti-Malware's "Advanced" settings controls whether or not Emsisoft Anti-Malware is registered with the Security Center. If toggling that option off and back on doesn't help, then try turning it off, restarting Windows, and then turning it on again.

No joy, I'm afraid. Completed these steps ( adding an extra restart at the very end ) and still Windows doesn't see Emsisoft as a security provider.

[GT500]

23 hours ago, PoorlyPCNigel said:

No joy, I'm afraid. Completed these steps ( adding an extra restart at the very end ) and still Windows doesn't see Emsisoft as a security provider.

Let's try getting a log from FRST, and see if it shows the cause of the issue. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

[PoorlyPCNigel]

I am preparing the FRST output files but not sure of the content and whether I should be posting them in a public forum.

Can I get them to you in another more secure way ?

[GT500]

This section of the forum is supposed to only allow authorized personnel to download attachments (with the exception of pictures which are always allowed for download). If you would prefer to further restrict who has access to the logs, then you can send them to me in a private message.

[PoorlyPCNigel]

OK cool - the log files are attached.

Addition.txt FRST.txt

[GT500]

22 hours ago, PoorlyPCNigel said:

OK cool - the log files are attached.

Emsisoft Business Security is registered with the security center and monitored from what FRST is showing in your log.

You can try the automated fix from Microsoft at the following link, however I don't expect it will work (it sounds like it just turns security features on rather that actually diagnosing and fixing problems with those features):
https://support.microsoft.com/en-us/help/17601/automatically-fix-windows-security-issues

Another possibility is to script removal of Emsisoft Business Security's in FRST, restart the computer, and then toggle Windows Security Center integration off and back on in Emsisoft Business Security to re-register it with the Security Center. I believe this has a better chance of working, and after a quick test it doesn't appear to have any negative side effects, so if you'd like to try it then follow the instructions below.

Please download the following fixlist.txt file and save it to the Desktop (note that fixlist.txt needs to be custom made for each computer it needs to be run on):

https://www.gt500.org/emsisoft/fixlist/2020-03March-06/PoorlyPCNigel/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

1. Run the FRST download from earlier, and press the Fix button just once and wait.
2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
3. When finished FRST will generate a log on the Desktop (Fixlog). You can ignore this for now.
4. Open Emsisoft Business Security.
5. Click on Settings.
6. Select Advanced from the menu at the top.
7. Turn off Windows Security Center integration.
8. After a few seconds, turn the Windows Security Center integration back on.
   

Note that Windows Defender may need a few minutes to refresh its information after restarting your computer, so the changes may not be reflected right away.

[PoorlyPCNigel]

Thanks for that. I'll work through those steps on Monday and report back.

[PoorlyPCNigel]

Happy to report that FRST + the fixlist.txt you supplied have resolved this issue.

I can use this elsewhere ( once I have generated a fresh fixlist.txt ) and fix this without needing to reinstall Emsisoft. Excellent and many thanks !

 

 

[GT500]

19 hours ago, PoorlyPCNigel said:

Happy to report that FRST + the fixlist.txt you supplied have resolved this issue.

Awesome. I'm very glad to hear that. 👍

 

19 hours ago, PoorlyPCNigel said:

I can use this elsewhere ( once I have generated a fresh fixlist.txt ) and fix this without needing to reinstall Emsisoft.

That's quite true. FRST's scripting system is very simple, and is usually just "copy the line you want removed from the log and paste it into the fixlist.txt file". If you want to see what else if can do, most functions are documented here. Note that the website with the documentation should also have free training in malware removal and using tools like FRST (as does BleepingComputer, Tech Support Forum, and a few other free malware removal help forums).

[jedsiem]

I have this issue on one system (Win 10 64x 19.09) after removing and reinstalling EMSI. The integration into the windows security system is missing. Unchecking the option inside EMSI is not bringing any change. The unchecking does not stick. Looks to me like the option is not triggering anything. Normally when deactivating the option "Windows Security Center integration" , there is a small lag when Win10 is recognizing the command to change the registration. That lag is not there, looks like checking/unchecking has no impact.

Is there a best practice? Hints for registry keys to check?

Have a nice week.

[GT500]

4 hours ago, jedsiem said:

Is there a best practice? Hints for registry keys to check?

Can you try running the following PowerShell command, and paste the output into a reply (you can send it in a private message if there's anything confidential in the output)?

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

The command doesn't require admin rights on Windows 10.

[jedsiem]

Thanks for the PowerShell command.  The Emsisoft Anti-Malware registry entry should not be there.

Quote

PS C:\WINDOWS\system32> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

displayName              : Emsisoft Anti-Malware
instanceGuid             : {67773CDD-EA83-AD98-A2ED-386463EB3B0D}
pathToSignedProductExe   : C:\Program Files\Emsisoft Anti-Malware\a2start.exe
pathToSignedReportingExe : C:\Program Files\Emsisoft Anti-Malware\a2service.exe.old
productState             : 266240
PSComputerName           :

displayName              : Emsisoft Business Security
instanceGuid             : {5FD8BF8F-F242-6153-61B5-8FF333E8736B}
pathToSignedProductExe   : C:\Program Files (x86)\Emsisoft Anti-Malware\a2start.exe
pathToSignedReportingExe : C:\Program Files (x86)\Emsisoft Anti-Malware\eppwsc.exe
productState             : 266240
PSComputerName           :

displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 397568
PSComputerName           :

 

 

[GT500]

Disable Security Center Integration in Emsisoft Anti-Malware (in Advanced settings), run the following command in an elevated (running as admin) Command Prompt, restart the computer, and then re-enable Security Center Integration:

WMIC /NODE:localhost /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct WHERE "displayName like 'Emsisoft%'" DELETE

[jedsiem]

Thanks for the script. It removed both entries of EMSI.

PS C:\WINDOWS\system32> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct


displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 397568
PSComputerName           :



PS C:\WINDOWS\system32>

The windows security center integration was already activated in EMSI (even though I deactivated it before booting).

I sense a different kind of root cause here. When trying to switch the update branch or trying to deactivate the "autoupdate" option, the change is not accepted.
The change was reverted instantly back. So it feels like EMSI isn't able to keep the change.

Any idea beside deinstalling and reinstalling?

 

[GT500]

7 hours ago, jedsiem said:

I sense a different kind of root cause here. When trying to switch the update branch or trying to deactivate the "autoupdate" option, the change is not accepted.
The change was reverted instantly back. So it feels like EMSI isn't able to keep the change.

Any idea beside deinstalling and reinstalling?

Do you manage EAM via our Cloud Console (my.emsisoft.com)? If yes, then did you make the changes to settings in your workspace settings, or locally on the effected machine?

[jedsiem]

 

14 hours ago, GT500 said:

Do you manage EAM via our Cloud Console (my.emsisoft.com)? If yes, then did you make the changes to settings in your workspace settings, or locally on the effected machine?

Correct, your hint to change the settings via the console worked. Thanks. I will have to investigate, why I wasn't able to override the settings as a local user. Usually the setting was to allow the local user to change such things. There was no enforcement.  But that's a different topic.  The issue around the Windows Security Center recognition is solved. Thanks and have  a nice weekend.

 

 

[GT500]

9 hours ago, jedsiem said:

 

Correct, your hint to change the settings via the console worked. Thanks. I will have to investigate, why I wasn't able to override the settings as a local user. Usually the setting was to allow the local user to change such things. There was no enforcement.

I'll ask QA if there are any known issues in regards to changing settings locally.

[GT500]

16 hours ago, GT500 said:

I'll ask QA if there are any known issues in regards to changing settings locally.

They'd like to know your workspace name, and the name of the workstation this happened on. You can send the info in a private message if it's confidential.

[jedsiem]

Turns out that the behavior is intended. Perhaps I had a testsystem, where the connection to the Enterprise console was temporary working.
I have the chance to check other clients. The clients are not in a workspace, but connected to the OnPremise-Console. That runs fine, cause no newer options are needed.

[GT500]

Note that we've discontinued support for our locally hosted Enterprise Console, and only the Cloud Console will be supported from now on.

[jedsiem]

3 hours ago, GT500 said:

Note that we've discontinued support for our locally hosted Enterprise Console, and only the Cloud Console will be supported from now on.

Thanks, I was aware of the EOL of the Console. Looks like the February Update removed the connection service for EEC on the clientside too. I will now have to look for a GDPR compatible solution. The last time I checked the contract relevant parts where missing.

[GT500]

19 hours ago, jedsiem said:

Looks like the February Update removed the connection service for EEC on the clientside too.

Correct, QA has told me that support for connects to EEC were removed in version 2020.2.

 

19 hours ago, jedsiem said:

I will now have to look for a GDPR compatible solution. The last time I checked the contract relevant parts where missing.

Emsisoft operates servers in Europe, and is required to follow GDPR regulations. I assume the issue is whether or not you will be able to maintain GDPR compliance while using a cloud-based remote management system?

[Davlat Aminov]

Hello jedsiem, Yes, we data collection and processing is regulated under the GDPR and we are doing our best effort to maintain GDPR compliance. You can see our pricy policy here: https://www.emsisoft.com/en/company/privacy/  

[Charles Stevens]

I can confirm this bug is happening on Windows Server 2019 DC Edition as well. I disabled the windows defender and the system performance came back. Out of 100 servers installed on it only happened on 2, it is also not listed in the AV Center.

[GT500]

4 hours ago, Charles Stevens said:

I can confirm this bug is happening on Windows Server 2019 DC Edition as well. I disabled the windows defender and the system performance came back. Out of 100 servers installed on it only happened on 2, it is also not listed in the AV Center.

If you check the Advanced settings in EAM on the effected systems, and look for an option labeled "Windows Security Center integration" is it turned on or off?

You can also check in our cloud console in the workstation's settings if it is part of your workspace.