MOVE AV Multi-Platform client doesn't register with Windows Security Center when VMware optimization is used

Technical Articles ID: KB93969
Last Modified: 2023-11-06 10:06:56 Etc/GMT

Environment

Management for Optimized Virtual Environments (MOVE)
MOVE AntiVirus Multi-platform (MOVE AV Multi-platform) 4.x
Offload Scan Server (OSS)

Problem

NOTE: The feature to register the product isn't supported with the Windows Server OS versions since the Windows Server OS versions don't have the Windows Security Center option.

When VMware Optimization is used in the environment, the default templates are configured to disable Windows Security Center. VMware Optimization sends this command to Security Center to disable it:

Set-Service 'wscsvc' -startuptype "disabled"

When the MOVE client sends an API to the Windows Security Center to register with it, the registration fails because the service wscsvc is disabled.

After the service starts, a registered application must call the UpdateStatus function to refresh the real-time protection state. If this action isn't completed within 60 seconds of the service starting, Microsoft Defender Antivirus starts to make sure that the user is protected.

If you run the mvadm status in cmd as administrator, you would see that the client is properly connected to the OSS. The following is an example of a good connection to the OSS:

C:\WINDOWS\system32>mvadm status
Scan Configuration: Enabled
On Access Scan: Enabled
On Demand Scan: Disabled
On Demand Scan State: Not Running
Driver Status: Driver is loaded
Primary Server: 192.168.1.55:9053 [Active]
Secondary Server: NONE:9053 [Not Configured]
SVA Manager: 192.168.1.54:8080 [Configured]

The mvagent.log records the errors below:

U.7924.6780: SYSTEM: wsc.cpp: 841: WSC Integration: Waiting for SERVICE_NOTIFY_RUNNING.
K.7924.3920: WARNING: ivmc_machine.c: 2762: Secondary server address not set.
K.0004.1944: WARNING: utl_rt.c:109: Process info is NULL for proc handle 0x4
K.0004.1944: WARNING: fsh_winnt.c : 255: Failed to get for process info of (System)
K.0004.6960: SYSTEM: kumsg_kernel.c: 716: Failed to send message to user ... STATUS_TIMEOUT
K.0004.6960: SYSTEM: kumsg_kernel.c: 716: Failed to send message to user ... STATUS_TIMEOUT
U.7924.6780: ERROR: wsc.cpp: 692: WSC Integration: Failed to Update MOVE AV Status with the Vista SP1 or later WSC (0x8000000a).
U.7924.6780: ERROR: wsc.cpp: 868: WSC Integration: Failed to set [Vista SP1 or later] av state to "disabled" (0x8000000a)

Even though the MOVE client can successfully connect to the OSS, it fails to register with Windows Security Center. So, the operating system enables Windows Defender. In this scenario, an EICAR test file is caught, but it's handled by Defender and not Trellix MOVE as you would expect.

Workaround

Implement one of the following options:

Option 1:

Change the state of the Windows Security Center Service to enabled.
In PowerShell, run the command below:

Set-Service 'wscsvc' -startuptype "enabled"

Option 2:

Configure VMware Optimization to not disable Windows Security Center during the optimization process.
See the VMware documentation guide for assistance. For details, see the VMware Optimization Guide.

Related Information

To view the related VMware details, see VMware community article that confirms most optimization software suggests disabling Security Center.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

MOVE AV Multi-Platform client doesn't register with Windows Security Center when VMware optimization is used

Environment

Problem

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

MOVE AV Multi-Platform client doesn't register with Windows Security Center when VMware optimization is used

Environment

Problem

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title