marko

WSC Integration problems with latest version

Recommended Posts

15 hours ago, Quirky said:

never install Microsoft's first W10 release of each year (around March). If you have to update, go for the second one (around September) which is more like a service pack. Way more reliable (but still buggy, make no mistake)

The quality of those feature updates tends to vary. For instance, 1803 was fairly stable, while 1809 was quite possibly Microsoft's buggiest update for Windows 10.

Share this post


Link to post
Share on other sites

Got a similar problem with the current beta. WSC again reports [EAM=off] but this time, all EAM modules are indeed turned off in the EAM UI. Seems more like a crash though, since I cannot interact with EAM. It's very sluggish and the UI responds more than a minute after I try to do anything. "Fix Now" did not work.

I'll re-enable logging.

edit: this occurred on 1909.

Share this post


Link to post
Share on other sites

Usual issue occurred 5 minutes ago, just sent few more logs. All EAM components enabled, WSC icon red, Security providers=EAM+Defender both turned off. As always, I've manually turned off Tamper Protection + Defender.

Share this post


Link to post
Share on other sites

Hello all!

I also join this topic!
Unfortunately, the new, August version did not solve the problem with the integration ...
What is curious is that I have 2 computers from Hewlett Packard.
Both - Windows 10 Pro (1909) x64.
On both, Windows Defender is disabled through the Group Policy Editor.
So - on one computer - the integration into the Windows Security Center is effective, but on the other - EAM is not integrated into any!
Windows message - action required!
That the parameters are managed by my organization (well, that's understandable why).
I followed the recommendations with disabling the integration, rebooting, enabling, restarting the computer again!
No effect! In reality, EAM is working absolutely fine, all services and components are running.
But Windows stubbornly DOES NOT SEE the antivirus!
These messages from the Security Center every time you start your computer are just annoying!
 
Of course, you can ignore this!😉
However - probably the developers need to do something? And why is there such a different reaction of the Windows Security Center on two completely identical systems with all Windows updates?

Share this post


Link to post
Share on other sites

Does the same thing happen if you re-enable Windows Defender through the Group Policy Editor and restart your machine?

Share this post


Link to post
Share on other sites
Hello!
To be honest, I haven't tried this reverse. I did not turn Windows Defender back on. Do you think this should be done?
 
p.s. This is how everything looks in the editor of group policies and on one computer, where EAM is adequately integrated into the Windows Security Center.
The screens are in Russian, but I suppose everything is clear😌

2020-08-05 23_39_13-Редактор локальной групповой политики.jpg
Download Image

2020-08-05 23_40_52-Безопасность Windows.jpg
Download Image

2020-08-05 23_41_09-Безопасность Windows.jpg
Download Image

Share this post


Link to post
Share on other sites
And this is what the Security Service looks like on another computer.
It can be seen that EAM is not integrated, Windows Defender is disabled, and a message about the management of parameters by my organization (that is, by me)
 
At the same time, the changes in the Group Policy Editor are completely identical!

2020-08-05 23_53_21-Безопасность Windows.png
Download Image

2020-08-05 23_56_26-Безопасность Windows.png
Download Image

2020-08-05 23_56_40-Параметры.png
Download Image

Share this post


Link to post
Share on other sites
9 hours ago, andrewek said:

The screens are in Russian, but I suppose everything is clear😌

Everything is clear, except the parts that are in Russian. ;)

I'm going to send you a private message with some instructions.

  • Like 1
  • Haha 2

Share this post


Link to post
Share on other sites

Hello!

Unfortunately, the problem persists for the fourth month!😌
Of course, this is not critical, but still!
I am writing here so that developers remember the problem of integration into the Windows Security Center.
Can't it be solved?🙄
After all, there was no such problem until June 2020!
  • Upvote 1

Share this post


Link to post
Share on other sites
7 hours ago, andrewek said:

Hello!

Unfortunately, the problem persists for the fourth month!😌
Of course, this is not critical, but still!
🙄

 

Yes, problem unfortunately remains and the old trick of quitting and restarting EAM doesn't seem to work consistently anymore. a2service and a2start are running, but the UI and tray icon will not appear (after quitting and restarting). Nothing happens (I've switched to stable btw).

andrewek, may I ask what is your CPU? Is it an old one? I wonder if this is somehow performance-related.

Share this post


Link to post
Share on other sites

Hello!

I don't think the integration issue is related to CPU power.
I have similar systems, Intel processors.
Desktop computer - 1 screen. There is practically no problem on it.
Laptop (screen 2) - here's the problem on it - every day ...
 
 
Indeed, manipulations with disabling the integration, rebooting and re-enabling the integration do not help much ...
I also want to say that when you enable extended logging in EAM, the problem disappears, EAM is perfectly integrated into the Windows Security Center every time the computer starts!
Disabling logging leads to another problem with integration!
That's bad luck, it's impossible to get logs with a problem ...😌

 

 

1.jpg
Download Image

2.jpg
Download Image

  • Like 1

Share this post


Link to post
Share on other sites

Yes, I've noticed a similar thing with logging. I did manage on one PC to reproduce the issue with logging enabled, but it seems to occur more often when logging is off. Can't say if it is related of course, only Emsisoft can find out. On my second PC, I did not manage to reproduce the issue with logging enabled.

Share this post


Link to post
Share on other sites
On 9/6/2020 at 12:07 AM, andrewek said:

I have similar systems, Intel processors.

FYI: There's actually a significant difference between those two processors:
https://www.cpu-monkey.com/en/compare_cpu-intel_core_i5_9500t-916-vs-intel_core_i3_7020u-1248

Of course, that doesn't mean the CPU actually has anything to do with these issues. It's more likely an issue with timing since it doesn't happen when debug logging is enabled.

 

On 9/5/2020 at 9:54 AM, Quirky said:

Yes, problem unfortunately remains and the old trick of quitting and restarting EAM doesn't seem to work consistently anymore. a2service and a2start are running, but the UI and tray icon will not appear (after quitting and restarting). Nothing happens (I've switched to stable btw).

Thanks for letting us know this is still an issue.

If anyone else is still having this problem, then please reply here so that I can let our team know.

Share this post


Link to post
Share on other sites

The WSC integration problem unfortunately remains on my two HP laptops and a Dell desktop, as does the problem of occasional excessive CPU usage. None of the updates put out since the two problems were identified months ago have been remotely useful. It's very frustrating.   

Share this post


Link to post
Share on other sites
20 hours ago, eliastz said:

The WSC integration problem unfortunately remains on my two HP laptops and a Dell desktop, as does the problem of occasional excessive CPU usage. None of the updates put out since the two problems were identified months ago have been remotely useful. It's very frustrating.   

Let me know if the following helps:

  1. Uninstall Emsisoft Anti-Malware.
  2. Restart your computer twice.
  3. Download and reinstall Emsisoft Anti-Malware from this link.

Share this post


Link to post
Share on other sites

@eliastz to clarify why I'm asking you to perform steps you've already tried, in the current version of Emsisoft Anti-Malware the WSC integration issue may be fixable by reinstalling Emsisoft Anti-Malware as long as all Emsisoft Anti-Malware files and services are properly removed during the uninstall.

Share this post


Link to post
Share on other sites

I did the uninstall + 2x restart + install 2020.9.0.10390. Issue soon reappeared. More specifically, it reappeared right after the restart that followed the automatic cumulative W10 update to 18363.1082. Can't say if the update process is related and of course, issue does not only appear after Windows updates.

As usual, EAM works (all green, UI+EAM tray), WSC reports it as off with a red tray icon (I've manually/permanently disabled Defender).

1. Shut down EAM
2. Wait for its process/services to close. Re-launching EAM without waiting for this, seems to cause some trouble (EAM will not start properly -no UI- and only a PC restart solves it)
3. Re-launch EAM. Usually, WSC will now report correctly (until the next time, unfortunately)

Share this post


Link to post
Share on other sites
16 hours ago, Quirky said:

More specifically, it reappeared right after the restart that followed the automatic cumulative W10 update to 18363.1082.

I have that update for Windows 10 1909 installed as well, so I suspect that the issue happening on that particular startup was just a coincidence.


Can everyone who's still seeing the WSC issues go ahead and post fresh FRST logs for me to review? I want to see if there are any similarities between your systems that might account for why you're all still having this issue. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

  • Like 1

Share this post


Link to post
Share on other sites

Further to my original post when starting this topic, I've had no problems with EAM showing in WSC on my desktop pc  since I re-installed EAM.

However, I just defragged my laptop hard drive using Windows defrag, and following the next reboot, EAM is no longer registered in WSC, in fact, it's not even shown as a provider even though all of EAMs processes are running.  I've tried toggling WSC integration off and on again in EAM several times to no avail.

image.thumb.png.c7731b0ceac9ba71f8a72b9bc734a52f.png
Download Image

Edited by marko
clarity

Share this post


Link to post
Share on other sites
11 hours ago, marko said:

Further to my original post when starting this topic, I've had no problems with EAM showing in WSC on my desktop pc  since I re-installed EAM.

However, I just defragged my laptop hard drive using Windows defrag, and following the next reboot, EAM is no longer registered in WSC, in fact, it's not even shown as a provider even though all of EAMs processes are running.  I've tried toggling WSC integration off and on again in EAM several times to no avail.

Unless the defrag managed to corrupt something (file or registry data), then I'm not certain how it could have caused the issue to reappear. It's possible that it was just a weird coincidence and that something else caused it, however at this point everything is just speculation since we don't have any debug info beyond the FRST logs.


Anyway, I've downloaded everyone's FRST logs and will take a look at them to see what I find.

  • Like 1

Share this post


Link to post
Share on other sites

From what I'm seeing in the logs, this looks like it may have a different cause for everyone.

@marko I'm seeing a string of the following errors in your FRST Addition log:

Error: (09/11/2020 08:15:05 PM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating  status to SECURITY_PRODUCT_STATE_ON.

The product name is missing, which suggests that whatever Anti-Virus product (presumably Emsisoft Anti-Malware) the entry is for probably has a corrupt registration with the Security Center. I'm going to send you a private message with a command to run to see if this is the case.

 

@Quirky in your case I'm seeing several of the following error, which suggest that an important part of the Windows Security Center isn't able to run, and thus Windows may not be able to track the status of Emsisoft Anti-Malware properly:

Error: (09/08/2020 12:24:03 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server:
{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}

Try right-clicking on the Start button, selecting Windows PowerShell (Admin) from the list, once PowerShell is ready type in CMD and press Enter on your keyboard, and then paste the following command and press Enter again:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

This command is supposed to reset all Windows Security Center settings. It may not restore Windows Security Center services to their defaults states, so if you've disabled the SecurityHealthService then you may need to change it back to automatic startup.

 

@andrewek your logs don't show any errors that might indicate why this may be happening, however I did notice that both computer have Malwarebytes installed on them. Is real-time protection active? If so, can you try excluding the following file in Malwarebytes, and then reboot the computer to see if that helps (be sure to restart by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu to bypass Fast Startup)?

C:\Program Files\Emsisoft Anti-Malware\eppwsc.exe

 

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

...I'm seeing several of the following error, which suggest that an important part of the Windows Security Center isn't able to run...
...so if you've disabled the SecurityHealthService then you may need to change it back to automatic startup.

Perhaps these errors are related to Defender being permanently disabled? Never disabled the Windows Security Service myself. Its current status is: Manual/Running. What I usually do once (after installing Windows), is disable Tamper protection and then use O&O ShutUp10 to disable Windows Defender. I believe that changes a group policy. I've recently read that Microsoft intends to make disabling Defender more difficult (impossible?).

I ran that command (btw it only worked in cmd, not Powershell) and restarted. Didn't notice any difference and Defender remained disabled. Windows Security Service remains Manual/Running. I'm not seeing a service with 'Health' in its name.

Share this post


Link to post
Share on other sites
43 minutes ago, Quirky said:

Windows Security Service remains Manual/Running. I'm not seeing a service with 'Health' in its name.

According to Process Hacker "Windows Security Service" is the friendly name for "SecurityHealthService". It's possible it's only failing part of the time.

Share this post


Link to post
Share on other sites

Yes, it's the same thing. I was looking at the Services list, not process names.

You mentioned possible timing issues. Don't know what that means exactly, but it always seemed unusual (way before this issue appeared) that WSC takes its time to detect and report the system status after boot. It usually does so a few minutes AFTER system startup, so if you try checking the status before that (in Windows Security), you will get a "Getting info..." message along with a spinning wheel.

Share this post


Link to post
Share on other sites

Also, the issue seems to occur way less often on my newer laptop (2015 i5 CPU), than on the old desktop (many more programs/services installed, 2008 Core2 Quad CPU).

Share this post


Link to post
Share on other sites

Hello!

No mistakes? This makes me happy!
I only have MBAM as a scanner on demand!
No mutual exclusions are configured.
I can - 1) add to exclusions in EAM, 2) remove this scanner completely!
 
I completely removed MBAM, with a lot of traces in the registry, service and drivers! It wasn't easy ...
However, unfortunately, the problem with the integration persists ...
Here are the laptop logs without MBAM.

 

2020-09-12 21_08_08-Параметры.jpg
Download Image

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites
On 9/12/2020 at 1:47 PM, Quirky said:

You mentioned possible timing issues. Don't know what that means exactly...

This suspicion is because the problem doesn't happen when debug logging is on.  When such logging is on, the program(s) that is/are making the logging requests will be taking slightly longer to do the "real stuff" between each request to update the debug log (because they're doing the real stuff, and the logging as well).  This suggests that something the program(s) rely on only just manages to get done in time normally (for users who don't have the problem) and fails to be done in time (for users who do see the problem).  Turning on debugging gives the thing (that hasn't completed in time) enough extra time to complete.

It's a problem that could also show up when code originally run on one cpu now runs on a slower or faster one, or one with more/fewer cores.  Anything that affects the rate at which other processes are running can make this sort of problem appear or go away.   The problem for the developers is to work out what the time-critical thing is.  It could then perhaps be started earlier, or the code that needs the results can be made to wait longer before expecting them to be complete.

It's a classic kind of programming problem, hard to identify, though knowing that turning on debugging does change things is itself a valuable clue.

  • Like 1

Share this post


Link to post
Share on other sites
30 minutes ago, JeremyNicoll said:

This suspicion is because the problem doesn't happen when debug logging is on.

Not true - it happens regardless of whether debug logging is on or off - when I first started this topic I did offer debug logs but nobody wanted them.

Share this post


Link to post
Share on other sites

Thanks for the info, JeremyNicoll. As marko said, it does happen here too with logging enabled, albeit far less frequently. But perhaps that's what you meant.

Share this post


Link to post
Share on other sites

@marko  @Quirky  It's not what I meant.  When I replied, trying to explain what timing issues might be, I'd looked back through this discussion to see when @GT500 had mentioned timing issues.  But in his post [ https://support.emsisoft.com/topic/33533-wsc-integration-problems-with-latest-version/?do=findComment&comment=207877 ]   he had said

  "Of course, that doesn't mean the CPU actually has anything to do with these issues. It's more likely an issue with timing since it doesn't happen when debug logging is enabled."

and no-one has corrected that statement since he made it, so I wrote my reply under the same assumption.   It's been ages since I read the whole thread (which hopefully would have made me aware of that error), as I tend just to read new posts as they are appended.

Share this post


Link to post
Share on other sites
19 minutes ago, JeremyNicoll said:

@marko  @Quirky  It's not what I meant.  When I replied, trying to explain what timing issues might be, I'd looked back through this discussion to see when @GT500 had mentioned timing issues.  But in his post [ https://support.emsisoft.com/topic/33533-wsc-integration-problems-with-latest-version/?do=findComment&comment=207877 ]   he had said

  "Of course, that doesn't mean the CPU actually has anything to do with these issues. It's more likely an issue with timing since it doesn't happen when debug logging is enabled."

and no-one has corrected that statement since he made it, so I wrote my reply under the same assumption.   It's been ages since I read the whole thread (which hopefully would have made me aware of that error), as I tend just to read new posts as they are appended.

Fair comment Jeremy - I'd missed that post of GT500's - it my well be a timing issue but it happens whether debug logging is enabled or not, on my machines anyway.

Share this post


Link to post
Share on other sites
On 9/12/2020 at 8:47 AM, Quirky said:

You mentioned possible timing issues. Don't know what that means exactly...

A timing issue basically means that the time a certain function is executed is what's causing a bug (for instance it could be happening at the same time as something else which could cause the function to hang). This would explain why it doesn't happen when debug logging is on, as that changes the timing of everything.

 

On 9/12/2020 at 9:19 AM, Quirky said:

Also, the issue seems to occur way less often on my newer laptop (2015 i5 CPU), than on the old desktop (many more programs/services installed, 2008 Core2 Quad CPU).

That's two of you now reporting the issue happens more frequently on machines with slower processors. That makes me wonder if I could reproduce the issue if I restricted my VM's to only one core, and installed EAM. It still wouldn't be a great test, since the CPU in the host system is an AMD Ryzen 7 3800X (meaning the per-core performance is fairly good), but bottlenecking the VM like that may produce similar enough conditions to an older and slower CPU.

  • Like 1

Share this post


Link to post
Share on other sites
On 9/13/2020 at 12:11 PM, marko said:

Not true - it happens regardless of whether debug logging is on or off - when I first started this topic I did offer debug logs but nobody wanted them.

In your case things are a little different, as I explained in a private message. The WSC registration information for Emsisoft Anti-Malware is incorrect, which is causing the issue.

Share this post


Link to post
Share on other sites
22 hours ago, marko said:

I'm not sure if this is of interest, but if I turn off WSC integration in EAM, eppwsc.exe crashes.

Did a dialog appear allowing you to submit a crash report? If you submitted one, then the developers should be able to investigate it.

Share this post


Link to post
Share on other sites
On 9/12/2020 at 10:32 AM, andrewek said:
I completely removed MBAM, with a lot of traces in the registry, service and drivers! It wasn't easy ...
However, unfortunately, the problem with the integration persists ...
Here are the laptop logs without MBAM.

I had a feeling that might not help if you were only using it for on-demand scanning.

I'm pretty sure this is just a timing issue. In order to proceed we're going to need a way to not only produce this reliably, but also a way to get debugs logs when we need them. Hopefully I'll be able to figure something out with my virtual machine configuration.

I can't remember if anyone mentioned this or not, but how much RAM is in the computers having this issue? I'm curious to see if the computers that have the issue more often also have less RAM.

Share this post


Link to post
Share on other sites
14 minutes ago, GT500 said:

Did a dialog appear allowing you to submit a crash report? If you submitted one, then the developers should be able to investigate it.

Replied via pm

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

That's two of you now reporting the issue happens more frequently on machines with slower processors. That makes me wonder if I could reproduce the issue if I restricted my VM's to only one core, and installed EAM. It still wouldn't be a great test, since the CPU in the host system is an AMD Ryzen 7 3800X (meaning the per-core performance is fairly good), but bottlenecking the VM like that may produce similar enough conditions to an older and slower CPU.

I wasn't able to reproduce the issue in testing. I don't think the CPU simply being slower is what's triggering it. I also tried 1 GB of RAM, and running Prime95 in the background on the host, and everything was fine in the virtual machine.

  • Sad 1

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

I can't remember if anyone mentioned this or not, but how much RAM is in the computers having this issue? I'm curious to see if the computers that have the issue more often also have less RAM.

Both my PCs (2008/2015) have 8GB of RAM.

edit: also note that sometimes several days can pass before the issue makes a reappearance. It doesn't always happen often. Might be placebo, but I think that once the issue is triggered, it will frequently occur 2-3 times. Then, it will go back on 'hibernation' for a while, until the next time it's triggered.

Share this post


Link to post
Share on other sites
20 hours ago, Quirky said:

Both my PCs (2008/2015) have 8GB of RAM.

Then RAM probably has nothing to do with it. By default all of my VM's are assigned 2 cores and 2 GB of RAM, and they have never had WSC registration issues when testing.

 

20 hours ago, Quirky said:

edit: also note that sometimes several days can pass before the issue makes a reappearance. It doesn't always happen often. Might be placebo, but I think that once the issue is triggered, it will frequently occur 2-3 times. Then, it will go back on 'hibernation' for a while, until the next time it's triggered.

Unfortunately that's going to make this incredibly difficult to debug. Especially since debug logs are critical to figuring out what's going on, and if I remember right neither you nor andrewek were able to collect them.

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

and if I remember right neither you nor andrewek were able to collect them.

No, I have managed to collect logs (and send them) from the older PC. EAM logs, that is.

Share this post


Link to post
Share on other sites
20 hours ago, Quirky said:

No, I have managed to collect logs (and send them) from the older PC. EAM logs, that is.

If I remember right that was long enough ago that we may need new debug logs just to make sure that the changes that have been made in EAM since then haven't effected anything. Would it be possible to enable debug logging again and send new logs?

BTW: Be sure to delete everything in the following folder before you enable debug logging, that way older logs don't get mixed in with the newer logs:

C:\ProgramData\Emsisoft\Logs

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.