The Next-Gen Antivirus uses the Anti-Malware SDK Protected Service to disable Windows Defender and to register itself as Antivirus in Windows Security Center. When something is disturbing this flow, it can turn into issues.
1. Next-Gen Antivirus incompatibilities detected (on legacy engine/Avira)
2. Next-Gen Antivirus does not register in Windows Security Center (legacy engine/Avira)
3. Next-Gen Antivirus reports a file as infected but the file is surely clean (false positive)
Next-Gen Antivirus incompatibilities detected (legacy engine/Avira)
BEHAVIOR: the Next-Gen Antivirus displays the Incompatibilities detected message.
SOLUTION: this issue happens when two or multiple Antivirus products are registered in the WMI (under Security Center), because two (or more) Antivirus products are installed on the endpoint, or because uninstalling the old Antivirus product does not remove all its registries from Windows Registry. To solve this case, follow the steps below:
1. Open Command Prompt (as an Administrator) and run the command lines below:
sc config winmgmt start= disabled
net stop winmgmt /y
winmgmt /salvagerepository %windir%\system32\wbem
winmgmt /resetrepository %windir%\system32\wbem
sc config winmgmt start= auto
2. Restart the computer.
This should clear the leftover registries and allow the Next-Gen Antivirus to run normally.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.
Next-Gen Antivirus does not register in Windows Security Center (legacy engine/Avira)
BEHAVIOR: the Next-Gen Antivirus does not register in Windows Security Center and this is why Windows Defender shows as active.
SOLUTION: in order to disable the Windows Defender, the HEIMDAL Agent installs the Anti-Malware SDK Protected Service (amselam.sys) that takes care of everything. If there's an issue in this flow, the HEIMDAL Agent will not be able to disable Windows Defender. To troubleshoot this case, you to go through the following steps:
1. Make sure the Anti-Malware SDK Protected Service is running (open services.msc as an Administrator and check the service status):
If it's not running, try starting it. Make sure the Startup Type is configured on Automatic.
2. If the Anti-Malware SDK Protected Service is not present among the services, open the File Explorer, navigate to C:\Program Files (x86)\Heimdal\AntivirusEngine (the path can differ if the HEIMDAL Agent has been installed in another location), look for ams_setup.log and open it. See if there's an error in the ams_setup.log file and reach out to the HEIMDAL Security Support Team.
3. If the Anti-Malware SDK Protected Service is running and there are no errors in ams_setup.log, there must be an issue with the WMIC. A method to fix this is to uninstall the HEIMDAL Agent, delete all the AntiVirusProducts registered in SecurityCenter2, reboot the computer, and reinstall the HEIMDAL Agent.
a. To do that, you need to uninstall the HEIMDAL Agent;
b. Open an elevated Command Prompt and run the following command to see the AntiVirusProducts that are registered in the WMI (you can see them with another tool like WMIExplorer):
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct get * /value
c. Run the Windows Management Instrumentation Tester with the following command:
wbemtest
Click the Connect... button and enter root\securitycenter2 and click Connect.
Click the Query button and type SELECT * from Antivirusproduct and hit Apply.
Select the discovered AntiVirusProducts and delete them.
d. reboot the computer;
e. reinstall the HEIMDAL Agent.
The ThorVigilance should now be registered under the Windows Security Center.
Next-Gen Antivirus reports a file as infected but the file is surely clean (false positive)
BEHAVIOR: Next-Gen Antivirus reports a file as infected but the file is surely clean (false positive).
SOLUTION: false positives (false alarms) are harmless files that are incorrectly identified as malicious. Software programs that behave like malware or use identical file compression and protection techniques are susceptible to false alarms. If you think a false positive has been detected, please check the file again with the latest VDF (virus definition file) update. The Next-Gen Antivirus VDFs are constantly updated with new signatures and in some cases.
In case the Next-Gen Antivirus is running an older VDF version, you can manually force a VDF update with the following procedure:
1. Open Command Prompt (as an Administrator).
2. Run the following command line:
"C:\Program Files (x86)\Heimdal\AntivirusEngine\avupdate.exe" --config=heimdal-avupdate-engine.conf --force-update