When VMware Optimization is used in the environment, the default templates are configured to disable Windows Security Center. VMware Optimization sends this command to Security Center to disable it:
Set-Service ‘wscsvc’ -startuptype “disabled”
When the MOVE client sends an API to the Windows Security Center to register with it, the registration fails because the service
wscsvc is disabled.
After the service starts, a registered application must call the
UpdateStatus function to refresh the real-time protection state. If this action isn't completed within 60 seconds of the service starting,
Microsoft Defender Antivirus starts to make sure that the user is protected.
If you run
mvadm status in
cmd as administrator, you would see that the client is properly connected to the
OSS. The following is an example of a good connection to the
OSS:
C:\WINDOWS\system32>mvadm status
Scan Configuration: Enabled
On Access Scan: Enabled
On Demand Scan: Disabled
On Demand Scan State: Not Running
Driver Status: Driver is loaded
Primary Server: 192.168.1.55:9053 [Active]
Secondary Server: NONE:9053 [Not Configured]
SVA Manager: 192.168.1.54:8080 [Configured]
The
mvagent.log records the errors below:
U.7924.6780: SYSTEM: wsc.cpp: 841: WSC Integration: Waiting for SERVICE_NOTIFY_RUNNING.
K.7924.3920: WARNING: ivmc_machine.c: 2762: Secondary server address not set.
K.0004.1944: WARNING: utl_rt.c:109: Process info is NULL for proc handle 0x4
K.0004.1944: WARNING: fsh_winnt.c : 255: Failed to get for process info of (System)
K.0004.6960: SYSTEM: kumsg_kernel.c: 716: Failed to send message to user ... STATUS_TIMEOUT
K.0004.6960: SYSTEM: kumsg_kernel.c: 716: Failed to send message to user ... STATUS_TIMEOUT
U.7924.6780: ERROR: wsc.cpp: 692: WSC Integration: Failed to Update MOVE AV Status with the Vista SP1 or later WSC (0x8000000a).
U.7924.6780: ERROR: wsc.cpp: 868: WSC Integration: Failed to set [Vista SP1 or later] av state to "disabled" (0x8000000a)
Even though the
MOVE client is successfully able to connect to the OSS, it fails to register with
Windows Security Center. So, the operating system enables
Windows Defender. In this scenario, an
EICAR test file is caught, but it is handled by Defender and not Trellix MOVE as you would expect.