Home > Computers and Internet > Microsoft Security Essential’s Real Time Protection Getting Turned Off

Microsoft Security Essential’s Real Time Protection Getting Turned Off

Problem Statement: The real time protection feature of Microsoft Security Essentials (MSE) was observed to be getting turned off for no obvious reason.

How the issue happens:

Upon first boot up and login using an Administrator account, it works fine, and the real time protection is enabled and confirmed by the presence of a green icon for MSE. Using Fast User Switching, login happens to an account that is not an Administrator, and work is done in that account for a while. The MSE in this account is okay. When switched back to the Administrator account, it’s seen that the real time protection of MSE in this account is now turned off.

The issue was observed to happen only once every boot or reboot, and once that’s resolved, it doesn’t re-occur.

A question was posted in the Microsoft Community Forum to get the feedback of people who might have experienced this issue also. In checking the various forums posts I’ve seen a number of people having a similar issue but none that had any satisfying answer, at least not in this particular case.

A ticket was also submitted to Microsoft Customer Support. The solutions of the engineer were only partially followed.

Workarounds applied: The only thing that consistently resolved the issue for the short term was to log-off and re-login to the account affected with this issue. A previous attempt to run a Quick Scan somehow forced real time protection to be enabled again, but this solution was not consistently working.

What has been attempted to resolve the issue:

1. Tried turning on real time protection per the button to turn it on, but MSE just seems to hang, so the issue was only resolved by logging-off the account. When the Setting tab of MSE was checked, the option for real time protection was still checked despite MSE reporting that it’s turned off – this was confusing because the settings showed it’s checked but somehow not enabled.

2. Tried scanning the system using MSE; no viruses were found. Tried scanning using MalwareBytes (MBAM, on-demand version only, not the one with real-time protection); no viruses were found.

Notes:

• Per http://experts.windows.com/w/experts_wiki/89.aspx MBAM shouldn’t conflict with MSE.

• Prior to the time this issue was observed, there have not been MBAM and MSE conflicts encountered. It’s highly doubtful that there were conflicts between these two anti-virus scanners, especially since MBAM was not providing real time protection unlike (supposedly) MSE.

3. Tried scanning using the stand-alone root kit remover version of MBAM; no viruses found.

4. Tried scanning using Kaspersky’s TDSSKiller; no viruses found.

5. Tried restoring the system to a previous restore point, which was the last time this issue was not present, but the issue still came up.

6. Initially suspected that the issue was just isolated with the Administrator account which was running in the background (disconnected), however was able to observe this issue with the non-Administrator account.

7. Initially suspected that the daily scheduled Quick Scan had something to do with it, but was able to recreate the issue after a Quick Scan completed, so this theory was ruled-out.

8. Attempted to discover the cause of the issue using Process Monitor; this was run in the Administrator account while work was happening in the non-Administrator account. Unfortunately the log file collected was saved in CSV format and Excel could not open all the contents; it was able to open rows up to the point 15 minutes prior to the issue occurring, thus making the log useless for diagnostic purposes.

9. Successfully captured another Process monitor session which contained the issue, and this time was saved in the native format of the tool. Was successful this time in opening the log, unfortunately did not find anything outstanding that could explain why real time protection was getting turned off. In fact in the logs all indications showed that real time scanning was actually still working despite MSE reporting that it was turned off.

10. Microsoft Community forum post suggestion was to uninstall and reinstall MSE; with not much options left, decided to take this approach. Installer of MSE as well as an offline copy of the virus definition updates (KB971606) was downloaded. Machine was disconnected from the Internet. MSE was uninstalled, then reinstalled. Offline copy of the virus definition updates was installed. Machine was reconnected to the Internet, an update to the virus definitions was done again, and then a Quick Scan was performed; no viruses found.

11. Just for good measure, Windows Update was also run to check for the latest version of MSE and its virus definition files (it’s set it to check other updates to Microsoft products, not just the operating system), and everything was still up to date. A fresh and up to date install of MSE now active in the machine.

Resolution: Uninstalling and reinstalling MSE resolved the problem. This issue has not resurfaced.

Root Cause Analysis and Recommended Preventive Measures:

Root cause of the issue continues to be unknown since the Process Monitor logs didn’t capture any error that can be obviously linked to real time scanning getting turned off – but apparently still turned on somehow.

I was advised that a regular Full Scan is needed to prevent this from happening; the daily scheduled Quick Scan was supposedly not sufficient. As new or updated software is introduced in the machine, MSE is not able to scan this as per Quick Scan which just checks essential system files. Thus, MSE will eventually report that it’s not running efficiently. The supposed reason doesn’t make sense – either that or I just don’t understand it. In any case, doing a regular Full Scan is still good advice to implement.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: