Share via

System Center Endpoint Protection / Windows Defender

Duchemin, Dominique 2,006 Reputation points
2023-02-28T23:38:57.4033333+00:00

Hello,

I am deploying with Configuration Manager System Center Endpoint Protection and Windows Defender or Windows Defender Antivirus Feature.

I notice several errors:

Machine #1

c:\Program Files\Windows Defender>MPCmdRun.exe -ValidateMapsConnection

CmdTool: Failed with hr = 0x80070667. Check C:\Users\xxxxxxxx\AppData\Local\Temp\MpCmdRun.log for more information

CmdTool: Invalid command line argument

Machine #2

c:\Program Files\Windows Defender>MpCmdRun.exe -ValidateMapsConnection

ERROR: ValidateMapsConnection failed (800705B4)

CmdTool: Failed with hr = 0x800705B4. Check C:\Users\xxxxxxxx\AppData\Local\Temp\MpCmdRun.log for more information

and then I checked the MPLog-Date-Time.log and also there are errors:

Machine #1

2023-02-10T12:42:38.326Z Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x786a0f0c7ffffffe

2023-02-10T12:42:38.326Z Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x502eece97ffffffe

2023-02-10T12:42:40.493Z [Cloud] SubmitReport(CMpUnknownSpyNetReportContext)

2023-02-10T12:42:40.493Z [Cloud] Start of cloud request. Passive mode: 0

2023-02-10T12:42:40.493Z [Cloud] Queued cloud request.

2023-02-10T12:42:40.493Z [Cloud] Dequeued cloud request.

2023-02-10T12:42:40.502Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0

2023-02-10T12:43:07.146Z MAPS Report Send (hr=0x80072ee2 httpcode=451)

2023-02-10T12:43:07.147Z [Cloud] End of cloud request.

2023-02-10T12:43:07.652Z [NRI] Successfully updated NIS service with platform settings for enforcement level Log

2023-02-10T12:43:57.204Z MAPS Report Send (hr=0x80072ee2 httpcode=451)

2023-02-10T12:43:57.204Z [Cloud] End of cloud request.

Machine#2

Internal signature match:subtype=Lowfi, sigseq=0x000052611B9CB317, sigsha=581c2ffb95d0d6980949156a6dfbc64083236ace, cached=false, source=0, resourceid=0xdc9235f9

Internal signature match:subtype=Lowfi, sigseq=0x000059783C312E99, sigsha=d8161689a321a156c2ac2130871e4ab29bc78372, cached=false, source=0, resourceid=0xdc9235f9

2023-02-28T22:06:32.118Z Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x786a0f0c7ffffffe

2023-02-28T22:06:32.118Z Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x502eece97ffffffe

2023-02-28T22:06:34.312Z [Cloud] SubmitReport(CMpUnknownSpyNetReportContext)

2023-02-28T22:06:34.312Z [Cloud] Start of cloud request. Passive mode: 0

2023-02-28T22:06:34.312Z [Cloud] Queued cloud request.

2023-02-28T22:06:34.312Z [Cloud] Dequeued cloud request.

2023-02-28T22:06:34.325Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0

2023-02-28T22:06:37.766Z ReadConfigFileTime(.\SacEvalModeExpirationTime) failed, hr = 0x8007065d <==

2023-02-28T22:06:59.757Z MAPS Report Send (hr=0x80072ee2 httpcode=451) <==

2023-02-28T22:06:59.758Z [Cloud] End of cloud request.

Any clues to troubleshoot these issues...

Thanks,

Dom

Microsoft Security | Intune | Configuration Manager | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Duchemin, Dominique 2,006 Reputation points
    2023-03-01T17:13:12.52+00:00

    Hello @AllenLiu-MSFT

    Nothing in the EndpointProtectionAgent.log:

    Create Process Command line: "C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". 2/28/2023 2:26:00 PM 5936 (0x1730)

    Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. 2/28/2023 2:26:00 PM 5936 (0x1730)

    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState 2/28/2023 2:26:00 PM 5936 (0x1730)

    State 1 and ErrorCode 0 and ErrorMsg and PolicyName Default Client Antimalware Policy

    ISS - Servers - SCEP - xxxxxxxx and GroupResolveResultHash CF738D98C1A7B967D70571B18278356F1E59C1DD is NOT changed. 2/28/2023 2:26:00 PM 5936 (0x1730)

    ....

    EP Policy Default Client Antimalware Policy

    ISS - Servers - SCEP - xxxxxxxx is already applied. 3/1/2023 7:27:00 AM 8776 (0x2248)

    Firewall provider is installed. 3/1/2023 7:27:00 AM 8776 (0x2248)

    Installed firewall provider meet the requirements. 3/1/2023 7:27:00 AM 8776 (0x2248)

    start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 3/1/2023 7:27:00 AM 8776 (0x2248)

    Skip sending state message due to same state message already exists. 3/1/2023 7:27:00 AM 8776 (0x2248)

    Thanks,

    Dom

    0 comments
  2. Duchemin, Dominique 2,006 Reputation points
    2023-03-01T23:49:29.1166667+00:00

    Hi @AllenLiu-MSFT

    I found two types of logs...

    Internal signature match:subtype=Lowfi, sigseq=0x000005559CF21996, signame=#PowerShell:UACBypass!Lowfi.1, cached=false, resource="\?\C:\Windows\ccmcache\2\endpointinstall.bat"

    Internal signature match:subtype=Lowfi, sigseq=0x00000555B33A0E85, signame=#Lowfi:RPF:JSApiClassifierStats:97v2, cached=false, resource="\?\C:\Windows\diagnostics\system\WindowsUpdate\utils_SetupEnv.ps1->(UTF-16LE)"

    Internal signature match:subtype=Lowfi, sigseq=0x00000555DBE575DD, signame=#LowFi:GenericNonRtpN__, cached=false, resource="\?\C:\Windows\Installer$PatchCache$\Managed\3C4DD819020F5D74B8E85E9B30D3C247\5.0.9078\mbs.98C5B086_7EB0_422A_B0A8_674010F525CD"

    2022-09-05T05:29:04.098Z MAPS Report Send (hr=0x80072ee2 httpcode=451)

    then

    BEGIN BM telemetry

    GUID:{50773C2B-814C-0C64-7CE1-5641AF052E41}

    TelemetryName:Behavior:Win32/PsHiddenWindowLaunch.A

    SignatureID:71140829738329

    ProcessID:4656

    ProcessCreationTime:133068122300216465

    SessionID:0

    CreationTime:09-04-2022 17:43:50

    ImagePath:C:\Windows\System32\cmd.exe

    ImagePathHash:935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2

    TargetFileName:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    END BM telemetry

    Which process initiated them? they seems to be starting at anytime ...

    Thanks,

    Dom

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.