none
Windows Defender scan on login the fslogix vhd. RRS feed

  • Question

  • Windows Defender scan on login the fslogix vhd. this takes a long time, so the disk is not mounted.

    Unfortunately, this can not be switched off via powershell or gpo.


    Thomas Lauer

    Friday, November 22, 2019 3:10 PM

Answers

  • Hello, we have just received the following update:

    Signature version 1.305.2813.0 was published about 1 hour ago and should address this issue – and clients will update automatically in the next 24 hours. Impacted users can force an update (either from WU or from WD UX (or via manageability interfaces)). Please report if issues are still being seen with this indicated version.

    Regards,

    Brent

    Monday, November 25, 2019 11:28 PM
    Owner

All replies

  • Seeing the same problem on one of our clients.

    As a temp workaround we ended up fully removing Defender and rebooting as excluding the VHDX files, and the path that the containers are stored, we were still having logon issues.

    Suspect something has changed in Defenders behavior with mounted volumes as it seems to be ignoring exceptions so I 'm suspecting its scanning the mounted image not the file or storage the containers are on. 


    Friday, November 22, 2019 7:43 PM
  • Hello,

    What OS version(s) are you seeing this on? And what Defender version(s)?

    Long scans will definitely cause issues so we need to get this fixed.

    Regards,

    Brent

    Friday, November 22, 2019 10:35 PM
    Owner
  • Hello,

    We would like to capture a ProcMon of this issue. Let me know if you might be able to do this.

    Regards,

    Brent

    Friday, November 22, 2019 11:36 PM
    Owner
  • Hi Brent, the OS ist Server 2016. with Defender .2599 and later. With Defender .880 no Problems Best Regards Thomas

    Thomas Lauer

    Saturday, November 23, 2019 7:33 PM
  • What do you Need from ProcMon?

    Thomas Lauer

    Saturday, November 23, 2019 7:35 PM
  • we think we have the same problem with User Profile Disks (UPD)

    Thomas Lauer

    Monday, November 25, 2019 7:36 AM
  • Our FSLogix Customers (on different platforms) are experiencing the same. On VHD attach system hangs for 8 minutes. When we disable Windows Defender all goes fine. This is certainly not a solution.
    Monday, November 25, 2019 8:25 AM
  • HI Brend,

    i have a procmon log.
    Please contact me for a upload unter lauer@glsh.net

    regards

    Thomas



    Thomas Lauer

    Monday, November 25, 2019 9:08 AM
  • hi mbraak, how do you disable the defender?


    Thomas Lauer

    Monday, November 25, 2019 9:09 AM
  • Hi Thomas,

    Control Panel -> Windows Defender -> Click on Settings -> Disable the Real-time protection

    Or use powershell:

    Set-MpPreference -DisableRealtimeMonitoring $true

    Monday, November 25, 2019 9:38 AM
  • hi mbraak, thanks at the moment we test disable all.


    Thomas Lauer

    Monday, November 25, 2019 9:57 AM
  • unfortunately that does not help us. the login will take a long time.

    Thomas Lauer

    Monday, November 25, 2019 10:08 AM
  • Windows Defender scan on login the fslogix vhd. this takes a long time, so the disk is not mounted.

    Unfortunately, this can not be switched off via powershell or gpo.


    Thomas Lauer

    Hi Thomas,

    We had the same problem since Friday on Windows 10 1809

    What we did was in GPO disable Windows Defender Antivirus (Computer Configuration and Administrative Templates / Windows Components / Windows Defender Antivirus / Turn off Windows Defender Antivirus.)

    As workaround so the people can work.

    I hope this helps you.

    Kind Regads,

    Ben


    Monday, November 25, 2019 10:28 AM
  • Hi Ben, need this a reboot?

    Thomas Lauer

    Monday, November 25, 2019 10:30 AM
  • Hi Thomas, 

    we have remove the defender feature on all our rds-servers 2016-2019 with fslogix with a script and it works.

     

    Monday, November 25, 2019 10:30 AM
  • Maybe you experience the other issue causing slow logins (registry bloat due to firewall en notification entries in registry).

    Just google slow login registry bloat and you will find info on that.

    Monday, November 25, 2019 10:46 AM
  • So you are running completely unprotected now on you frontend servers?

    That's a very nasty workaround asking for bigger issues i'm afraid

    Monday, November 25, 2019 10:47 AM
  • Hi Ben, need this a reboot?

    Thomas Lauer

    Yes because this is an computer policy you need to reboot the machine.

    After reboot you can check in services.msc if the defender service is disabled.

    Kind Regards,

    Ben

    Monday, November 25, 2019 10:48 AM
  • So you are running completely unprotected now on you frontend servers?

    That's a very nasty workaround asking for bigger issues i'm afraid

    No we dont.

    This is an Citrix Environment (vdi Win10 1809) with Software Restriction policy's the defender was just an extra for us.

    Kind Regards,

    Ben


    Monday, November 25, 2019 10:57 AM
  • Hi Brent, do you have any feedback to this thread?

    Thomas Lauer

    Monday, November 25, 2019 2:54 PM
  • We are having the same issue. Starting Friday Server 2016, exactly 4 minute delay at login. Disabling Windows Defender eliminates the delay.

    • Edited by S, Andrew Monday, November 25, 2019 4:28 PM
    Monday, November 25, 2019 3:21 PM
  • FSLogix Support has confirmed that issue. See text below:

    To temporarily fix this problem, add an exception in the antivirus program for FSLogix processes.  Since our code does not create any new data from outside of your environment, it is of no risk. 

     

    Antivirus Exclusions:

    Some antivirus scan on access which can get in the way at logon. This can be fixed by excluding VHD (or VHDX) files from being scanned in the Users and the Windows\Temp folders.

    Path: C:\Program Files\FSLogix

    Exclude frxdrv.sys, frxdrvvt.sys, frxccd.sys drivers

    Exclude frxccd.exe, frxccds.exe, frxsvc.exe processes

     

    Path: C:\Windows\TEMP

    Exclusion: Exclude .VHD and .VHDX

    Path: Profile Root Path (Wherever your FSLogix Profiles are stored)

    Exclusion: Exclude .VHD and .VHDX for Folder and Subfolders

    Additional we had to disable "Realtimemonitoring".

    After this changes everything was working fine again.

    Btw: this happens also to Citrix UPM if you use Outlook Search Index Roaming.

    Monday, November 25, 2019 3:42 PM
  • Same issue as well. Based on the comments in the Hotfix release thread, many users are having this issue starting from last week, regardless of what exceptions Defender has in place for FSLogix or what version of FSLogix they are running.
    Monday, November 25, 2019 3:43 PM
  • Hello Bernd,

    We are also troubleshooting the problem and we (with mbraak) have confirmed it's somewhere in the definition updates. Using the base definitions supplied by the image (1607) there is no problem, when updating the definitions the problem occurs. 

    Monday, November 25, 2019 3:50 PM
  • I do not think that it is a problem of FSLogix. a defender update from the end of last week has triggered the problem

    Thomas Lauer

    Monday, November 25, 2019 4:21 PM
  • I agree, we've demonstrated that servers without FSLogix are affected.
    Monday, November 25, 2019 4:27 PM
  • Hi guys,

    To quickly disable realtime monitor one could use this script. I know some of u disable it with gpo but i don't like to wait :) We have currently stopped the troubleshooting and are callign it an evening. 

    $Servers = @( 'SRV01', 'SRV02', 'SRV03', 'SRV04', 'SRV05' ) ForEach ($Server in $Servers) {

    Write-Host ('Disabling Windows Defender Realtime Monitor on: '+$Server) Invoke-Command -ComputerName $Server -ScriptBlock { Set-MpPreference -DisableRealtimeMonitoring $True }

    }

    For people who disable the real-time scanner please deploy a scheduled task to do a quick scan every 15-30 minutes. 

    <?xml version="1.0" encoding="UTF-16"?>
    <Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
      <RegistrationInfo>
        <Author>DOMAIN\Administrator</Author>
        <URI>\Windows Defender Quick Scan</URI>
      </RegistrationInfo>
      <Triggers>
        <CalendarTrigger>
          <Repetition>
            <Interval>PT15M</Interval>
            <Duration>P1D</Duration>
            <StopAtDurationEnd>true</StopAtDurationEnd>
          </Repetition>
          <StartBoundary>2019-11-25T06:30:00</StartBoundary>
          <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>
          <Enabled>true</Enabled>
          <ScheduleByDay>
            <DaysInterval>1</DaysInterval>
          </ScheduleByDay>
        </CalendarTrigger>
      </Triggers>
      <Principals>
        <Principal id="Author">
          <UserId>S-1-5-18</UserId>
          <RunLevel>HighestAvailable</RunLevel>
        </Principal>
      </Principals>
      <Settings>
        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
        <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
        <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
        <AllowHardTerminate>true</AllowHardTerminate>
        <StartWhenAvailable>false</StartWhenAvailable>
        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
        <IdleSettings>
          <Duration>PT5M</Duration>
          <WaitTimeout>PT1H</WaitTimeout>
          <StopOnIdleEnd>false</StopOnIdleEnd>
          <RestartOnIdle>false</RestartOnIdle>
        </IdleSettings>
        <AllowStartOnDemand>true</AllowStartOnDemand>
        <Enabled>true</Enabled>
        <Hidden>true</Hidden>
        <RunOnlyIfIdle>false</RunOnlyIfIdle>
        <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
        <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
        <WakeToRun>false</WakeToRun>
        <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
        <Priority>7</Priority>
      </Settings>
      <Actions Context="Author">
        <Exec>
          <Command>C:\Program Files\Windows Defender\MpCmdRun.exe</Command>
          <Arguments>-Scan -ScanType 0</Arguments>
        </Exec>
      </Actions>
    </Task>

    Better something than nothing.


    • Edited by PStruik Monday, November 25, 2019 7:11 PM
    Monday, November 25, 2019 6:35 PM
  • hi pstruik,

    disable realtime scanner (Set-MpPreference -DisableRealtimeMonitoring $True)

    don´t solve the problem.

    only uninstall or deactivate windows defender solved the problem

    regards

    Thomas


    Thomas Lauer

    Monday, November 25, 2019 7:07 PM
  • Windows Defender scan on login the fslogix vhd. this takes a long time, so the disk is not mounted.

    Unfortunately, this can not be switched off via powershell or gpo.


    Thomas Lauer

    We are currently working with the Windows Defender team to understand this issue, and drive to resolution.  Right now this appears to have been caused by a definitions update in defender.  I will update when I know more from them.
    Monday, November 25, 2019 7:08 PM
  • Hello Thomas,

    I have done this on 30 servers with no problem, others are reporting that disabling the Realtime Monitor "solves" the problem. I just corrected my PowerShell command because it was missing a bracket.

    I hope that by tomorrow Microsoft has a solution.

    Monday, November 25, 2019 7:17 PM
  • FSLogix Support has confirmed that issue. See text below:

    To temporarily fix this problem, add an exception in the antivirus program for FSLogix processes.  Since our code does not create any new data from outside of your environment, it is of no risk. 

     

    Antivirus Exclusions:

    Some antivirus scan on access which can get in the way at logon. This can be fixed by excluding VHD (or VHDX) files from being scanned in the Users and the Windows\Temp folders.

    Path: C:\Program Files\FSLogix

    Exclude frxdrv.sys, frxdrvvt.sys, frxccd.sys drivers

    Exclude frxccd.exe, frxccds.exe, frxsvc.exe processes

     

    Path: C:\Windows\TEMP

    Exclusion: Exclude .VHD and .VHDX

    Path: Profile Root Path (Wherever your FSLogix Profiles are stored)

    Exclusion: Exclude .VHD and .VHDX for Folder and Subfolders

    Additional we had to disable "Realtimemonitoring".

    After this changes everything was working fine again.

    Btw: this happens also to Citrix UPM if you use Outlook Search Index Roaming.

    I've implemented these exclusions as well as disabling monitoring (note, this does not mean disabling realtime protection, just monitoring) and mine is working now too.  Exclusions didn't get me anywhere, only saw improvement after disabling monitoring.

    Exclude Files: 
    %ProgramFiles%\FSLogix\Apps\frxdrv.sys
    %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
    %ProgramFiles%\FSLogix\Apps\frxccd.sys
    %TEMP%\*.VHD
    %TEMP%\*.VHDX
    %Windir%\TEMP\*.VHD
    %Windir%\TEMP\*.VHDX
    \\server\share\*\*.VHD
    \\server\share\*\*.VHDX

    Exclude Processes
    %ProgramFiles%\FSLogix\Apps\frxccd.exe
    %ProgramFiles%\FSLogix\Apps\frxccds.exe
    %ProgramFiles%\FSLogix\Apps\frxsvc.exe


    • Edited by kevin schumaker Monday, November 25, 2019 7:53 PM added exclusions
    Monday, November 25, 2019 7:47 PM
  • No, only disabling Real Time Scanning works for now i'm afraid.

    Hope Microsoft will fix this issue with most urgency because of the huge impact on security, performance and stability of a lot of customers. Their own WVD solution also suffers this issue so hope that will make it a high priority at Microsoft Developers.

    Monday, November 25, 2019 7:54 PM
  • Can you explain what the difference is between disabling real-time protection, as opposed to disabling real-time monitoring? All of my online research is showing that those are one and the same.
    Monday, November 25, 2019 8:28 PM
  • I have make a powershell script to set the excludes

    https://github.com/glshnu/Powershell/blob/master/WIndows%20Defender/SetDefenderExcludesFSLogix.ps1

    thanks to the community - community makes the life easier

    Thomas


    Thomas Lauer

    Monday, November 25, 2019 8:45 PM
  • Hello,

    It is a very high priority. The most recent communication I have seen says that a Defender definition update is in the works.

    Regards,

    Brent

    Monday, November 25, 2019 9:01 PM
    Owner
  • Hello, we have just received the following update:

    Signature version 1.305.2813.0 was published about 1 hour ago and should address this issue – and clients will update automatically in the next 24 hours. Impacted users can force an update (either from WU or from WD UX (or via manageability interfaces)). Please report if issues are still being seen with this indicated version.

    Regards,

    Brent

    Monday, November 25, 2019 11:28 PM
    Owner
  • There is also another newer version (1.305.2830.0) 

    However the Microsoft Definition Update Servers still only publish the old 1.305.2783.0 version so i think we have to wait until Microsoft releases the version for download?!?

    Maybe the manual download will work.. Will try that out.

    Tuesday, November 26, 2019 7:11 AM
  • @brbish - Do we know if the issue was related to network inspection rather than scanning file system?  I saw ~240 second pauses in packet traces between subsequent SMB read requests - like the data was being scanned before the next read could be issued.

    I've had issues with AOVPN clients which started on Friday and now now magically working.

    -- Richard Carde



    Tuesday, November 26, 2019 7:20 AM
  • I did a manual install of the updated definitions and i can confirm it fixes the issue!

    I dont now when MS will start pushing the updated definition through the MS Definition Update servers but you can download the manual installer at https://www.microsoft.com/en-us/wdsi/defenderupdates

    Tuesday, November 26, 2019 7:30 AM
  • Hello,

    As far as I was able to see, it was an issue with an update to the definitions themselves. So, no information that it was related to network inspection.

    Regards,

    Brent

    Tuesday, November 26, 2019 9:12 PM
    Owner
  • This was the answer of MS Support:

    We have received the following Update on Windows Defender issue:

    We got an internal report  – the root cause for it (some recent signature changes).

    Signature version 1.305.2813.0 was published and should address this issue – and clients will update automatically in the next 24 hours. Impacted users can force an update (either from WU or from WD UX (or via manageability interfaces)).

    Also seen in here:

    https://social.msdn.microsoft.com/Forums/en-US/dcd86de9-e092-49b4-b2a1-20e1943bbdc5/release-notes-for-fslogix-apps-1909-hf01-29723748865-hotfix?forum=FSLogix&prof=required

    Wednesday, November 27, 2019 9:16 AM