Interaction failure between ATI and Windows Security

Bruno, sorry but yet more evidence that the new Cyber Protection has only ever been 'half-baked' and was released before it had been fully developed despite all the warnings given by the Beta testers last year!

I experience a like issue, Active Protection was found to be turned off and would not turn on.  Another poster to the Forum reported the same issue.  For us a simple restart of the computers corrected the issue.

I suspect the exception that was thrown by True Image on shutdown left things in a real mess. Not being able to turn on ATI protection was not what worried me. The fact that Windows Security could not turn on its own protection as well was very disconcerting.

I agree Bruno,  not sure what would sauce that.  At this point would have to say an isolated instance unless more reports surface.

Today I turned on my test machine for the first time in about 12 days. I wanted to test something with ATI 2021 Protection.

When I booted up the machine, the ATI Notification icon had an indicator that something required attention. The history showed most recently that the database was not up to date (as would be expected). Below that it showed that Protection was turned off on 4/2 (the date of the original post in this thread) and below that showed that Protection was turned on. All this looked correct. And just for accuracy, I should note that when I first booted the machine my Internet ISP was down, although I waited until it came back up to look into it.

When I opened the ATI UI, it showed correctly that Protection was stopped permanently. But when I tried to turn it on, nothing would happen. I tried everything I could think of without luck. Multiple reboots didn't help either. My plan was to reinstall ATI, but as it turned out it was also time to update to Windows 10 from 2004 to 20H2. I decided to do the Windows update first.

After Windows came back under 20H2, I noticed that the ATI notification icon did not show an issue. And the history was that Protection was turned ON on 4/2. The two later activites were gone. I opened the ATI UI and it showed again that Protection was stopped permanently. When I clicked to turn it on, it proceeded to the next screen but was fogged out while the Processing... wheel was spinning. This went on for a few minutes and when it stopped it was again at the screen telling me protection was turned off. I thought maybe it had updated the database while it was processing. I again clicked to turn protection on. Again the spinning wheel while "checking protection status". And now it just won't come back. When I switch to the Activity tab, I get another spinning wheel while loading, but that is stuck in that state too.

Next step is to close the UI and reopen it. It closed fine, but I just could not get it back open. So... reboot again. And on restart, I'm back to where I started where I cannot even get past the screen that says Protection is stopped permanently.

Since the only thing I had done with ATI since installing fresh on 4/2 is turn protection off, on and off again on that day, I really didn't have time to mess it up too bad. So I fear another reinstall is necessary.

Bruno, this is exactly the issue that I reported to Acronis back in August 2020 where Protection would not turn on!  Later, it went the other way and wouldn't turn off!  Eventually, it started to behave after several new builds were installed.

Personally I have Protection turned off permanently albeit with all the attendant issues of all the associated background services & processes still remaining active & scanning!  I am still of the opinion that the new Protection was never properly developed and tested before being released on unsuspecting users, as reported during the beta phase testing.  Your experience above does nothing to make me want to change that opinion!

I reinstalled ATI 2021. Took a while to get the database update but now that is done. In the overview, it says I'm protected, but as for Malicious files and Malicious websites, those are not on and the information message says...

"Currently the antimalware protection is performed by the following software: Avast Antivirus, Microsoft Security Essentials. To avoid compatibility issues and to enable complete protection of your system with True Image, uninstall this software and enable protection."

OK, I uninstalled Avast Antivirus a month ago. And Microsoft Security Essentials is the old MS solution from when this was a Windows 7 machine a few years back. Neither of these show up under Windows Control Panel as installed programs. I also do not see any running tasks or installed services that would relate to these. I suspect something is being misread from some residue in the registry. This is just nuts!

Windows Defender still seems to be in full control.

Bruno,

I suggest that you provide feedback to the above.  If Avast uninstaller left a few files and or folders this could be the issue.  Same for Security Essentials.  I think someone needs to write a cleanup utility to get rid of all the leftovers from an uninstall.  I know that Revo Uninstaller does this pretty well but can also tag reg entries that are wrong.

I did get a feedback and system report sent before reinstalling.

I'll do another one now.

I suspect the problem is in HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av\...

Using Powershell we can see the contents

C:\> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

displayName              : Avast Antivirus
instanceGuid             : {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
pathToSignedProductExe   : C:\Program Files\AVAST Software\Avast\wsc_proxy.exe
pathToSignedReportingExe : C:\Program Files\AVAST Software\Avast\wsc_proxy.exe
productState             : 266240
timestamp                : Tue, 25 Feb 2020 16:57:55 GMT
PSComputerName           :

displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 397568
timestamp                : Fri, 23 Apr 2021 16:13:45 GMT
PSComputerName           :

I tried to delete the key for Avast, but regedit won't let me. A little searching tells me that other AV programs also fail to remove this upon uninstall. I'm thinking the productState may indicate that the product is not being used since Windows Defender is comfortable. Perhaps Acronis is not reading this correctly and assuming it is still being used.

More research needed.

Using wbem, I was able to delete the Avast provider. Although I still see the same entry in the registry, Acronis no longer shows it. But, Microsoft Security Essentials is still showing up and I can't find how to get rid of that one.

Bruno,

Have you tried running the command below from an admin command prompt?

MsiExec.exe /X{75812722-F85F-4E5B-BEAF-3B7DA97A40D5}

Bob, I tried but it can't do it because it's not installed. I also searched for that GUID in the registry and it is not there.

Or this:

“C:\Program Files\Microsoft Security Client\setup.exe” /x /disableoslimit

The above should start the Essentials Uninstaller.  Click the Uninstall button in the window.

After uninstall completes update Defender definitions: Click Start - type Defender - Click on Windows Defender - Click on Update definitions.

"C:\Program Files\Microsoft Security Client" does not exist.

I have solved it!

The problem is that Acronis was using WMI to get the information about antivirus packages installed and there were two things left over... Avast Antivirus and Microsoft Security Essentials. I have read on the Internet that other protection packages are also bad players when it comes to uninstalling.

I am documenting here what I did in case it may be problematic for others.

1. Run C:\Windows\System32\wbem\wbemtest.exe as an Administrator

2. Click the Connect... button

3. Enter root\SecurityCenter2 in the Namespace field

4. Click Connect

5. Click Enum Instances...

6. In the Enter superclass name field enter AntiVirusProduct

7. A Query Results windows will appear list each AntiVirus Product associated with Microsoft Security Center.

8. Double-click on a product to open an Object editor window. Check Hide System Properties and look at the displayName.

--- At this point you want to verify if there is a product which does not belong (i.e. for a no longer installed product).

9. Close the Object editor

10. For a product that does not belong, in the Query Result window select the item and click the Delete button. BE VERY CAREFUL HERE SO AS NOT TO DELETE THE WRONG THING.

11. Close the Query Result box.

Go back to step 5, and repeat the process using the superclass names AntiSpywareProduct and FirewallProduct.

In my case, I'd found Avast Antivirus under the AntiVirusProduct superclass and Microsoft Security Essentials was under AntiSpywareProduct. Once I removed those two, I rebooted just to be sure. I loaded up the ATI 2021 UI and it was able to turn on all it's security. I ran wbemtest again and this time I found Acronis True Image under the AntiVirusProduct class.

Thanks for posting Bruno.  I'm sure others will find this useful.

To add a bit to this... if you want to just look at your system to see what's registered with the Security Center, rather than running the mbemtest.exe program, you can just run these Poweshell commands:

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiSpywareProduct

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct

Note the productState. It s displayed in Decimal but is meaningful in Hex. I'm not sure, but I suspect the bit at 0x20000 my be set for an active product and clear for inactive. I'm still trying to track that down.Lower order bits reflect enabled/disable, up-to-date, etc.

EDIT: Further research is indicating that the productState meaning may be dependent on the specific product.

EDIT: Batch file commands to do the same thing...

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get * /value
wmic /namespace:\\root\SecurityCenter2 path AntiSpywareProduct get * /value
wmic /namespace:\\root\SecurityCenter2 path FirewallProduct get * /value

Very nice Bruno, will put these in my archive.

Good work Bruno. Very impressive!

I checked a system where TI 2021 had been uninstalled and found only Windows Defender listed. Good to know Acronis did a good job with the uninstall. 

So I ran a test.  Last month I built a new system based on a sixth Gen Intel mobo.  I did not install any security or threat protection software on this PC.  I rely solely on Windows Security Center for such protection.  Running the PS commands supplied I only got output from the AntiVirus check which showed Windows Defender as displayname.

Next, I fired up another PC on which CheckPoint ZoneAlarm Extreme Security is the installed product.  A captured output of all 3 PS commands appears below:

Next I uninstalled the ZoneAlarm product from the PC.  I had planned to do so in the coming days ahead anyway so this was not an inconvenience.  I then ran the 3 PS command again after the uninstall.  The results appear in the screenshot below:

As you can see the ZoneAlarm product uninstall left traces of the product which PS displays.  Note the productState numbers have changed but show no definitive pattern suggesting that they may not indicate a reliable value.  Perhaps the InstanceGuid may be of more benefit.

Clearly this issue must be addressed by Acronis. 

NOTE: On further review the date and timestamp may be more telling.  Perhaps only the top entry under each command is or shows what is still valid by WMI.

Enchantech, the productState needs to be looked at in Hex notation to understand it. So let's look at what we're seeing here.

Starting with the Firewall...
There is an old entry for 12/22/2020 with a state of 0x40000
The entry for 4/25/2021 is 0x41000

After uninstalling the 4/25/2021 state goes to 0x40000

Perhaps the 0x01000 bit indicates enabled state.

Next let's look at the Antivirus...
The 12/22/2020 state is 0x40010
The 4/25/2021 state is 0x41000

After uninstalling the 4/25/2021 state goes to 0x40000.

Again, the 0x01000 bit may indicate enabled state

The 0x00010 bit may indicate that the definitions are not up to date.

Finally, looking at the AntiSpyware...
there is only a 9/24/2019 entry with a state of 0x41000

It looks like the AntiSpyware association may not have been used on later versions and is left with maybe an enabled state.

Additionally, Windows Defender productState seems to always be 0x6xxxx so the 0x20000 bit may be an indicator of Windows Defender.

When ZoneAlarm was being used for Antivirus, the Windows Defender productState is 0x60100. When ZoneAlarm is no longer the Antivirus, the Windows Defender productState is 0x61100. Again, the 0x01000 bit indicates enabled state.

Bottom line, after uninstalling we really shouldn't even be seeing these programs listed at all.

Bruno,

Using your logic I enabled ATI Protection.  Everywhere went smoothly there, no issues noted.  I ran the WMI script that you posted and checked productstate in Hex.  I found that ZoneAlarm still reports as:

Hex 40000 = Disabled

This applies to all 4 checks

ATI shows Hex of 41000 = Enabled

Strangely the Firewall check only shows ZoneAlarm with no mention of Windows Firewall

Looking back on my original issue with Avast preventing ATI from enabling protection... the Avast productState was 0x41000. I think it should have been 0x40000, so ATI assumed it to be active. I can see three problems here:

1. Avast (and others) do not adequately inform Windows when an active product is uninstalled. I wonder how the behavior may differ if the uninstalled product was made inactive just prior to uninstall.

2. Windows, although being able to handle that situation, really should be able to clean up its database when it finds that the enabled provider executable path does not even exist. It does handle correctly putting Windows Defender back in charge.

3. Acronis should be smarter about resolving incompatible provider states, e.g. two providers both appear active but one points to a non-existent executable.

I have no idea why the WMI Firewall class will specify non-Microsoft providers, but not Windows Firewall. Just a quirk of inconsistency I suppose.

Enchantech wrote:

Bruno,

Using your logic I enabled ATI Protection.  Everywhere went smoothly there, no issues noted.  I ran the WMI script that you posted and checked productstate in Hex.  I found that ZoneAlarm still reports as:

Hex 40000 = Disabled

This applies to all 4 checks

ATI shows Hex of 41000 = Enabled

Strangely the Firewall check only shows ZoneAlarm with no mention of Windows Firewall

I am a bit confused here concerning the AntiSpywareProduct. From your earlier post, it seems that Windows Defender was in state 0x60100 and Zone Alarm state was 0x41000. If my inference was correct, that says Zone Alarm was active. After you uninstalled, there was no change to either of these. Given the very old dates, I suspect neither of these were doing anything.

So when installing ATI, why did it not detect this? Why are you saying now that ZoneAlarm is now reporting 0x40000.

Bruno,

I ran the WMI commands you posted the results from that were as I posted in my last post here.  So I did not have time to compare the WMI results with what I got from running the individual PS commands.

As for the dates, the old dates I believe reflect when product updates are applied with the earliest being that of product uninstall and then a reinstall a short time later.  I suppose it possible that certain components like Firewall for example, may not be upgraded during a product update and so those dates may not change.  I am only guessing here as I have no real knowledge of what the information we are looking at here is actually telling us.