Could Bitdefender be interfering with WMC extenders?


This is a relatively recent symptom I'm tearing my hear out chasing, so I'm wondering if it's due to a relatively recent change in Bitdefender 2019 Total Security that might have been rolled out.  I say this because the problem was NEVER EVER PRESENT before the past week or two at most.  In fact I'm sure it didn't exist as recently as May 28, which is when I happened to have taken a "Gold" system image backup of my Win7 HTPC system because everything was running so perfectly for the past month or two that I didn't want to miss the opportunity to capture "perfection" and make it my fall-back conceptual emergency restart restore point, should something go south in the future.


Coincidentally, I believe a new component update to BitDefender 2019 Total Security also was pushed out on May 28 (as that was the "installed date" showing in Control Panel). I am very suspicious of some change to the firewall handling in BitDefender that has been going on since May 28, as the likely reason for my current problems this past week.


So, unexpectedly things now HAVE somehow "gone south" in the past week.  In desperation I decided two days ago (June 4) to restore that May 28 "Gold" system image in hopes that "stability and perfection" would return. But I'm afraid it hasn't. I know my system was "perfect" for real on May 28, but now restoring that "Gold" system image from May 28 has not corrected my problems and gotten me back to "perfection". Instead, my recent problems persist.


So now I'm suspicious of software I really have no control over and which might be responsible for my symptoms, namely Bitdefender and its product updates (to 23.0.24.120 currently dated 6/5/2019 at 5:15PM but I think it originally came out back on May 28).  I'm sure that even if I restored a system image which didn't include this latest update, that before too long the product would just automatically re-update itself to the latest version. So if there is a firewall problem in this latest version, it would continue to be present today returning within a short time, even if I restored my May 28 system image backup.  In other words going back to my May 28 "Gold" backup wouldn't be accomplishing anything permanently if it is Bitdefender which is at fault.  The symptom I'm fighting would return within a short time I'm sure, if in fact Bitdefender is really the culprit.


 


I run a Win7 HTPC using Windows Media Center as my DVR.  I have four HDTV's around the house, each one connected to a WMC extender (connected via ethernet/LAN to the HTPC) in order to deliver TV content to each TV location.  Each extender is a LInksys DMA2100 which has a power-on/off button.  After power-on there is a "Remote Desktop Protocol (RDP)" session connection to the HTPC, which is the RDP host.  Each extender is its own unique RDP userid an "remote connection" occurs at power-on.  Conversely, at power-off there is a logoff/disconnect of that RDP session.


All four of the extenders can be active and running and connected to the HTPC simultaneously if I wanted to, which would therefore have four RDP sessions active simultaneously.  And as each one was powered-off via its remote, that associated RDP session would disappear.  Powering-on the extender would simply reinitiate a new RDP session and connection.


This is ALWAYS HOW THINGS HAVE WORKED, and is exactly how things are supposed to work.


So here's the symptom: my Windows Media Center extenders are no longer functioning properly when they are powered-off using the remote. This action should trigger a 117 "session enforcement" warning event appearing in Event Viewer, with a message of "The Media Center Extender user was abruptly disconnected". This is perfectly normal and is the counterpart to the 115 information event also appearing in Event Viewer when the extender session is started by power-on using the remote, with a message of "The Media Center Extender session was established".


What is happening since May 28 is that there is no longer a 117 event occurring at power-off, as if for some reason it appears there is no detection of the "abrupt disconnect" action.. This in turn leaves the RDP extender session "active" even after it's genuinely been powered-off by its remote. And the effect of this is that a new extender RDP session cannot be newly initiated using power-on of the remote, since the old RDP session is actually still active!!  And this cannot be cleared up by any other means than a forced re-booting the HTPC, which is completely unwanted and undesirable!


 


Ok. Earlier tonight I decided that maybe I could solve this problem (cause still unknown) by deleting and re-adding an extender, going through the normal WMC extender setup and configuration from scratch.  So I did that.


And then I reviewed the contents of Event Viewer, where I now saw that the expected 115/117 events which should be there every day (as I watch TV around my house, powering on and off the exenders) were surprisingly NOT present since May 28! But then I also realized this could surely be because of my restore a day or two ago of that "Gold" system image taken on May 28. So the Windows Event Viewer log obviously re-started from that May 28 image, obviously wiping out whatever might have naturally placed there in the past week.  Nevertheless, nothing from yesterday or day appears there... no 115/117 from today.


At least not until this evening, when I did the delete/re-add of an extender, as my attempt to see if I could get things working again by a whole new extender setup (i.e. RDP user defined).


And it was in the review of the Event Viewer after tonight's delete/re-add of the extender that I noticed unexpected messages in the log regarding "firewall discovered", and "Bitdefender firewall", and what might perhaps be an indication of a problem relating to WMC extenders and their RDP connection/sessions, all stemming from something new in BitDefender's firewall processing since May 28 in the latest product version.


That's my story. I definitely have a problem. I am NOT seeing 115/117 events in the Event Viewer log since May 28, as have always been present before when I power-on/off my extenders. And because of this the RDP sessions are remaining active, and I cannot power-on and connect a second time from the same extender (since the first RDP session is still active), forcing me to re-boot the HTPC which is obviously not what I want to be doing.


 


One additional factoid that's relevant. It SHOULD be possible to manually terminate an RDP session using an Administrator Command Prompt window.  You then "query" for any active RDP sessions using the QWINSTA command.  If any extender RDP sessions have been initiated, they will show up as "active" with their session name and ID, either of which can then be used to terminate them manually.


And once the session name/ID is known, in theory that RDP session can be manually stopped using the RWINSTA command, which identifies the target RDP session to be killed either by its user name or session ID.  In theory.


However the RWINSTA command IS NOT WORKING! About a minute goes by and then the command prompt line returns, as if it had taken that long to manually terminate the RDP session. But if I then do another QWINSTA I see that the extender RDP session is STILL ACTIVE AND RUNNING!  In fact it has NOT been killed at all!


So, might the latest BitDefender now be "protecting" me somehow in a new way, through its newly updated firewall protections?  Might it not realize that WMC extenders are perfectly normal RDP devices that want to establish RDP sessions and will eventually have an "abrupt disconnect" when the extenders are powered-off, and that the RDP sessions should be allowed to be terminated?  Why can't RWINSTA manually terminate the session like it's supposed to be able to do?


I am very shortly going to uninstall BitDefender (or at least deactivate all of its protections, including firewall), just to test out my theory that this MAJOR PROBLEM with WMC extender/RDP session misbehavior is absolutely coming from BitDefender... or not.


 


Thoughts?

Comments

  • DSperber
    DSperber ✭✭✭


    For reference, here is a screenshot of my Event Viewer log.  Note the normal pairs of 115/117 entries dated 5/28 and older.  And also not no such pairs of 115/117 since then. Yes, restoring my "Gold" image backup from 5/28 restarted things, but that was done a day or two ago. And I've been watching TV through extenders for the past few days. So at the very least there should be SOME of the 115/117 pairs of events, if they occurred... unless they didn't occur.  Or unless the manual forced re-boot caused by the hangup of extender RDP sessions resulted in a loss of event logging of those 115/117 events which might have simply still been in-memory.


    Also, here are the events recently logged earlier tonight, when I deleted/re-added an extender. It was in this sequence that I first saw that somehow WMC was at least discovering some Bitdefender firewall involvement that was perhaps affecting things negatively.


    6/6/2019 6:51:23PM 575 event - Media Center Extender Setup started with the following settings


    6/6/2019 6:51:23PM 581 event - Media Center Extender Setup has determined that the Windows Firewall is enabled in the Home profile


    6/6/2019 6:51:23PM 572 event - Media Center Extender Setup found the following firewalls:  Bitdefender Firewall


     


    Again, it is the 117 event ("abruptly disconnected") resulting from power-off of the extender that is so critical.This indicates that the RDP session has been terminated, and thus allows a new RDP session to be initiated when the next power-on of the extender occurs and the next 115 event gets logged.


    Otherwise, failing to get a 117 corresponds to preventing that extender from ever being successfully connected to the HTPC and used again in a new RDP session until the HTPC is re-booted.

    WMC-extender-events-01.jpg

  • DSperber
    DSperber ✭✭✭
    edited June 2019


    Well, I disabled all of BitDefender functionality through the "Protection" items, rather than taking the extreme step of uninstalling and having to reinstall and re-customize.  Presumably I am now operating without BitDefender firewall.  And it still makes no difference. I get 115 events when powering-on extenders but still get no 117 when powering-off.


    And still, when I try to manually terminate the RDP extender session with RWINSTA, it still has no effect other than to take about a minute to finally come back.


    Now I did observe that there was a suspicious process showing up in Task Manager that was related to the extender RDP user, and that was "NVidia Web Helper.exe".  Research reveals this is tied to GeForce Experience, with many people complaining about it sucking up resources, CPU, search/index time, etc., and offering assorted ways as to how it can be killed, stopped from starting, or plain uninstalling it.


    I'm not a gamer and only installed GeForce Experience (again... VERY SUSPICIOUSLY ON MAY 28!) to make it easier and more automatic to install nVidia driver updates when they are released.  I don't have any urgent need for that, but I just do. Since it could NOT be "ended" using Task Manager (probably related to why I'm still not getting the 117 event, because something still yet unknown is preventing that RDP task from begin terminated either naturally or manually), I decided simply to completely uninstall GeForce Experience (at least as part of this search-and-destroy mission to figure out what's causing my current extender problem).


    Unfortunately, even after uninstalling GeForce Experience and re-booting yet again, I STILL CANNOT GET THE 117 EVENT ON POWER-OFF.  And I still cannot use RWINSTA to manually terminate the RDP task.


    So, there's no longer any GeForce Experience in my environment. And BitDefender has been completely disabled (though not uninstalled). So both of those possible culprits have been theoretically exonerated as possible culprits (unless I really do need to uninstall BitDefender). And yet, still, for some reason my extender sessions will not disconnect on power-off as they should and always have until this week.


     


    Still hunting.


     

    WMC-no-117.jpg

    WMC-QWINSTA-RWINSTA.jpg


  • Hello DSperber,


    We recommend you to temporary uninstall Bitdefender in order to test if Bitdefender might be interfering with WMC extender.


    Additionally, you may try a clean boot as well:


    [How to perform a clean startup]




    Step 1: Start the System Configuration Utility

    - click Start, click Run, type msconfig, and then click OK.

    - the System Configuration Utility dialog box is displayed.

    Step 2: Configure selective startup options

    - in the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.

    - click to clear the Process SYSTEM.INI File check box.

    - click to clear the Process WIN.INI File check box.

    - click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.

    - click the Services tab.

    - click to select the Hide All Microsoft Services check box.

    - click Disable All, and then click OK.

    - when you are prompted, click Restart to restart the computer.

    [How to return Windows to a normal startup mode]

    - click Start, and then click Run.

    - type msconfig, and then click OK.

    - the System Configuration Utility dialog box is displayed.

    - click the General tab, click Normal Startup - load all device drivers and services, and then click OK.

    - when you are prompted, click Restart to restart the computer.


    Let us know the results.

  • DSperber
    DSperber ✭✭✭


    What a POS! (sorry... lost my temper)


    Sure enough, it WAS BITDEFENDER (or its firewall) which was responsible for some very recent change in my protection environment over the past week or so which was indeed the cause of my problems with WMC extender sessions not terminating properly. And this was evidenced by the absence of 117 events (abrupt terminations) in Event Viewer, and which then resulted in my inability to re-start a new extender session.  Instead the only thing I could do was to re-boot the machine.


    Apparently just going through the obvious DISABLE methods (i.e. un-checking all of the "protection" categories) does not fully disable BitDefender and/or its firewall functionality, or whatever it was in the end that really was at fault here.  In fact I had to take the extreme step of FULLY UNINSTALLING THE PRODUCT (leaving setup/configuration data as-is so that just in case I was going to reinstall all of my settings would hopefully not need to be re-done), in order to then see operation return to "normal" with WMC extender behavior.


    So sure enough now that BitDefender is out of both of my HTPC's I now see the return of the 117 error ON BOTH MACHINES!!!  I had been stunned last night to discover that my second HTPC, which I hadn't actually used in months, was itself also exhibiting the identical problem symptom with WMC extender sessions not terminating, and thus no 117 event in the log, and thus no ability to re-launch a new extender session to watch TV again unless I re-boot the machine.  This seemingly impossible coincidence of identical failures on two independent machines suggested common software as the cause rather than some common hardware (e.g. a possible router issue?).  I was suspicious of the latest changes in BitDefender being the culprit, but this totally unexpected appearance of the extender malfunction symptom on a second HTPC made me even more suspicious I'd located the culprit.


    This afternoon I uninstalled BitDefender ON BOTH MACHINES, and reinstalled Microsoft Security Essentials.  I have not yet reinstalled Malwarebytes (which is what I was running previously when using MSE, prior to installing BitDefender) so for the moment that's all that is on both HTPC machines... just MSE.  And I'm surprised you didn't hear my screams over there in Germany when I then ran my WMC extender scenario... AND EVERYTHING ONCE AGAIN WAS WORKING PERFECTLY!!!  ON BOTH MACHINES!!!


    So I once again have proper pairs of 115/117 events in the log (corresponding to start of session and end of session).  And sure enough once again there is no "dangling RDP session" left  remaining and which prevents a new extender RDP session from starting (which of course corresponds the absence of 117 events, since somehow BitDefender was preventing the proper graceful termination of the WMC extender RDP session ).


     


    So... that's where I am now. I am back to running just MSE, as I have canceled my Malwarebytes licenses when I purchased BitDefender. I haven't decided yet whether to go back to Malwarebytes and forget BitDefender entirely, or what.  What's most important of course is that I now once again have a "Gold" Win7 HTPC (of which I will quickly take another "system image" backup of, to preserve this newly recovered perfection and goodness).


    However if you would like to work with me to discover exactly what you BROKE in the recent updates to BitDefender which is clearly responsible for the breakage of WMC extender RDP sessions not terminating when they should (i.e. suppressing whatever it is that should produce the 117 event), I will donate one of my two HTPC machines to your use.  I will be glad to reinstall BitDefender on this "lab HTPC" of mine, and then hopefully recreate the failure symptom behavior.  Then you can have be collect any forensic information or trace output you'd like which will help you get to the bottom of what product defect you've created in this past week's updates which has caused this symptom, which is now proven to be the culprit.


    If you want to provide me with a special "debug version" of the product, I will do whatever you want.  Now that I've restored my "production HTPC" to proper normal operation by uninstalling BitDefender and reverting back to MSE, I'm happy again.  Having all of my TV recordings made properly, and allowing me to watch them on any of my four WMC extender/HDTV locations, 24/7/365, that is what is important... and thankfully uninstalling BitDefender got me back there.


    Please let me know if you want to work with me on my own failing HTPC to chase down this MAJOR DEFECT in your product. I am glad to reinstall BitDefender to presumably then bring back the failure symptom, so that you can chase it down and fix it.  Only then would I consider uninstalling MSE and reverting back to BitDefender.  Otherwise, not.


     


     


     

    WMC-Z170-115-117.jpg

    WMC-DFW-115-117.jpg

    WMC-DFW-QWINSTA.jpg

  • DSperber
    DSperber ✭✭✭


    With the major crisis now resolved, I add a bit of a post-******. Not only did the BitDefender product enhancements just released this past week cause the fatal malfunction of my WMC extender RDP sessions (in that they would not disconnect their RDP session on the PC when the extender was powered off, thus inhibiting the 117 Event Log entry).  There were also additional issues affecting overall PC performance which appeared even when no WMC extender session had been started since the last boot.


    I saw evidence of excessive memory usage (like .5 GB) tied to BitDefender.  I saw evidence of "ragged scrolling" (e.g. in Firefox, browsing up/down web pages with the mouse wheel), rather than the usual "smooth as butter" normal performance.  I saw evidence of extravagant ragged spikes in CPU usage over extended periods of time, as presented through PERFMON.MSC, which never "smoothed out over time" but rather just persisted to "saw-tooth" (or worse) over time.  I HEARD evidence of something affecting sound put out on my standard computer speakers from standard Realtek HD Audio codec, so that instead of consistent smooth normal sound it sound scratchy and "interrupted", as if required CPU horsepower was being drained away to the detriment of sound.


    In otherwords, it wasn't just the fact that my WMC extenders had been negatively affected by the new or enhanced protection or firewall functionality in this past week's BitDefender product update.  Overall BOTH of my HTPC's were showing the identical set of additional symptoms I enumerated above, which again is too coincidental to be a coincidence.


    And, not suprisingly, now that I have totally uninstalled BitDefender on both of these HTPC machines, sure enough ALL of the additional symptoms I enumerated above HAVE DISAPPEARED!  Yes, both of my machines have now returned to truly "Gold" normal behavior in all regards, most especially my WMC extender RDP sessions now properly terminating when I power off the extender.


    I will now re-install the latest 430.86 version of the nVidia drivers that I had backed out the other day thinking it might be responsible for my issues.  I'm now certain it is the fault of BitDefender's product update/enhancement of last week which is totally at fault for ALL of these behavior anomalies I've enumerated.


    In other words even if the major bug to chase is what is preventing WMC extender RDP sessions from ending, all of the other issues (i.e. excessive memory and CPU usage, CPU spikes, scratchy sound from assorted programs, etc.) must also be observed in order to see if there is more to the new defect than just its effect on WMC extender RDP sessions.


    I will still donate my second "spare" HTPC machine on which all of this can (hopefully) be reproduced once I reinstall BitDefender, if you want to assign an engineer to work with me. Tell me if I should open a proper support ticket, or if you will open one for me, or if we just pursue this privately and offline via email contact going forward.

  • Andrei M.
    Andrei M.
    edited June 2019


    Hello /index.php?/profile/216340-dsperber/&do=hovercard" data-mentionid="216340" href="<___base_url___>/index.php?/profile/216340-dsperber/" rel="">@DSperber,


     


    Please send us an email at bitsy@bitdefender.com with this forum topic in the description and one of our engineers will further assist you in solving this situation.


     


    Thank you.

  • DSperber
    DSperber ✭✭✭
    edited June 2019


    I sent an email to that address earlier this afternoon. Still awaiting a reply from your engineers.

  • DSperber
    DSperber ✭✭✭


    It is now four days since I offered up my failing HTPC for your use as a "lab rat" in order to help you chase down this defect in Bitdefender's latest version update. Seems you couldn't ask for anything more wonderful, namely the customer offering his failing machine so that you can work through the debug process on a machine where the failure occurs 100% of the time.


    I still have not heard back from anybody in engineering. I have written TWO emails as you requested, and I have also opened an official ticket:  2019061120130002, but to no avail. Apparently your "support" isn't what I might have hoped.


    I have now uninstalled your product on my two Win7 desktop HTPC machines which were both failing only in this past week (having both been working perfectly for the past few months with the prior version of the product which obviously didn't have this new defect in it, up until this week when both machines began to fail). Having gone back to Microsoft Security Essentials + Malwarebytes Premium, both of these HTPC machines are now once again working perfectly.  The problem is obviously your latest Bitdefender version. That is clear.


    I am now going to uninstall your product on my two Win10 laptops as well, since I have no interest in paying a license fee any longer if you will not provide support for the product I paid for. I purchased a 5-seat license for one year, but will not renew. I'm perfectly satisfied with MSE (or Windows Defender) + MBAM, as I've been using happily for many many years.


    I am very disappointed in your non-support, even though you clearly monitor this forum and Andrei (from your Tech Support group) posted his own item in this thread two days ago, asking for me to do exactly what I've now done... IN TRIPLICATE, but without any response from your end. Quite frankly I'm surprised you have so little interest in actually resolving the obvious bug your latest version has given birth to, especially given my offer to let you have full use of my own failing machine to debug with.  Seems like a deal made in heaven, but so far silence from your end.


    Sorry, but I'm not impressed.


  • Hello /index.php?/profile/216340-dsperber/&do=hovercard" data-mentionid="216340" href="<___base_url___>/index.php?/profile/216340-dsperber/" id="ips_uid_2987_5" rel="">@DSperber,


     


    First of all, I wish to apologize for any inconvenience that our product or our support might have caused, I've sent you an email about 2 hours ago, please check your inbox.


     


    Additionally, I want to add a note since I would like to further investigate and communicate about this situation via emails and once we conclude and solve the issue I will post the details about it here.


     


    Thank you for understanding.


     

  • DSperber
    DSperber ✭✭✭


    Just my own post-****** here.


    I worked with the BitDefender engineers today on this problem. It was initially supposed to be a remote TeamViewer session so that I could demonstrate the failure. But before the session ever began I got an email canceling it, because it turns out this problem had already been previously reported and was already being worked on by development for the solution.


    So instead of needing any demonstration of the failiure, I was instead provided with a simple three-step "patch" recipe that they'd already worked up to temporarily disable the failing driver responsible for the problem until the corrected version can be released hopefully in the not too distant future. Perfectly satisfactory to me, and I confirmed that their patch did indeed suppress the failure and allow the WMC extender RDP sessions to once again terminate properly.  Once again I had my pairs of 115/117 Even Log entries and 100% normal WMC extender behavior.


    So, thanks to the several support people at BitDefender who've replied on this thread and to me via email over the past two days.


    Crisis averted.


     

  • DSperber
    DSperber ✭✭✭


    Yesterday I received an email from Bitdefender support advising me that the "fix" for this RDP session problem has now been implemented in the latest Bitdefender 2020 version recently pushed out.  I was asked to reinstall the product and test things out, to see if my own WMC extender (which are RDP sessions) issue has in fact now been successfully resolved.


    So I uninstalled MSE + MBAM, and installed the latest Bitdefender 2020 on my Win7 HTPC.  And then I performed a test using a WMC extender.


    And I'm pleased to report that it DOES APPEAR the RDP session termination defect which I reported a few months ago in a support ticket has now, indeed, been successfully resolved by Bitdefender development. Sure enough, power-off of a WMC extender session does now once again produce the expected 117 event as it should.  And QWINSTA now does once again show that the previously active WMC extender (RDP) session is no longer active.


    Looks like CASE CLOSED!  Happy ending.


    At this moment I still have only reinstalled Bitdefender on the one HTPC machine used to perform this test.  I still have my other desktops and laptops (part of my 5-seat license) configured with MSE + MBAM as before, following my uninstall of Bitdefender a few months ago when this RDP session issue first appeared with some product version pushed out sometime after March 2019 (when I first installed Bitdefender and it was still working perfectly, with no RDP session problem yet).


    I will eventually decide how to go forward, either using MSE + MBAM as I do on all other 20 machines I maintain and simply not renewing my annual Bitdefender license, or using Bitdefender for my own personal 5-seat license machines, or what.  Now that both MSE + MBAM as well as Bitdefender are equally defect-free, I suppose I have a true choice.

This discussion has been closed.