MeshAgent icon indicating copy to clipboard operation
MeshAgent copied to clipboard
verified publisher icon Ylianst

MeshAgent stops responding completely on Windows 11 with Norton/Avast/AVG

Open marek26340 opened this issue 2 months ago • 3 comments

Describe the bug Since almost a year ago, I've been observing strange behavior on our new Windows 11 PCs. MeshAgent stops responding to literally anything - querying status using cmd and the installer, or getting any response out of it in MeshCentral. It shows as online in MC, but it won't respond to any commands, and soft disconnecting does not get it to make a new working connection. The service on the target PC must be manually restarted to get it to work properly again, but just for a couple of minutes. It could possibly be related to the 24H2 update (we were on 23H2 for quite a while, we've been waiting for Microsoft to iron out atleast some bugs out of 24H2), but I don't have any evidence for that...

To Reproduce Steps to reproduce the behavior:

  1. Install Windows 11 24H2. (Feel free to install any and all updates that show up, but it's not necessary.)
  2. Install any version of Norton antivirus products - Norton 360, Avast Free, AVG Business,...
  3. Observe the behavior of MeshAgent after a couple of minutes of runtime. Or rather, the lack thereof.

Expected behavior MeshAgent should always stay fully responsive to any connection attempts from the installer (meshagent64-group.exe -status), or to any commands from MeshCentral as long as it's connected.

Server Software:

  • OS: Ubuntu Server 24.04 LTS
  • Virtualization: VMware ESXi 6 (i know)
  • Network: LAN + WAN, no proxy, I'm 100% positive there aren't any network issues occuring here past the ethernet jack of those PCs.
  • Version: Core Mar 6 2025, 1050666940 ; MeshCentral 1.1.51
  • Node: v22.13.0

Tested on:

  • Devices: HP 600 G4 SFF PC, HP 255 G7 laptop, HP 800 G1 SFF PC, custom built PCs,... All of our Windows 11 clients are affected.
  • OS: Windows 11 24H2 and 25H2
  • Network: Local to Meshcentral and remote over WAN
  • Browser: Google Chrome, Microsoft Edge, Mozilla Firefox

Your config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ >
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "cert": "mcserver.contoso.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "NotLeaked__UnderscoreMeansRandomlol",
    "port": 443,
    "_aliasPort": 4436,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "agentPort": 4434,
    "mpsPort": 4433,
    "AmtProvisioningServer": {
      "port": 9971,
      "deviceGroup": "mesh//redacted",
      "newMebxPassword": "SuperSecurePwd01.",
      "trustedFqdn": "mcserver.contoso.com",
      "ip": "169.254.23.45"
    },
    "SelfUpdate": true,
    "amtScanner": true,
    "exactPorts": true,
    "agentsInRam": true,
    "agentPing": 25,
    "agentIdleTimeout": 120,
    "browserPing": 50,
    "_useNodeDefaultTLSCiphers": true,
    "debug": "main,relay,webrelay,mps,mpscmd,agentupdate,agent,cert,db,amt"
  },
  "domains": {
    "": {
      "_title": "MeshCentral",
      "_title2": "Servername",
      "_minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true,
      "showModernUIToggle": true,
      "AmtManager": {
        "TlsConnections": true,
        "AdminAccounts": [
          { "user": "admin", "pass": "SuperSecurePwd01." }
        ],
        "EnvironmentDetection": [
        "contoso.com"
        ]
      }
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "[email protected]",
    "names": "myserver.mydomain.com",
    "skipChallengeVerification": true,
    "production": false
  }
}

marek26340 avatar Oct 22 '25 15:10 marek26340

Unfortunately the isn't anything we can do at the moment unless someone can identify what the AVs are doing (we need someone who works at the AV companies to tell us)

It's already been reported multiple times and sadly we have no control over the antiviruses

We use Norton for all our machines but since a recent update we had to uninstall it completely and revert to using defender built in instead

si458 avatar Oct 22 '25 16:10 si458

Unfortunately the isn't anything we can do at the moment unless someone can identify what the AVs are doing (we need someone who works at the AV companies to tell us)

It's already been reported multiple times and sadly we have no control over the antiviruses

We use Norton for all our machines but since a recent update we had to uninstall it completely and revert to using defender built in instead

MeshAgent.exe to be properly signed could be a good start

Danijongo avatar Nov 11 '25 13:11 Danijongo

@Danijongo makes no difference we have a valid 3 year code signing certificate and ive signed it, makes no difference the AVs are scanning the raw websocket traffic from what i can tell for rootkits etc and blocking the data being sent

edit: even built from sourcecode and signed it AFTER i downloaded the agent, makes no difference 👎

si458 avatar Nov 11 '25 13:11 si458