none
SCEP 2012 4.3.215.0 with sigs 1.171.1.0 causes XP to hang until MsMpEng finally crashes

    Question

  • Hi,

    this morning all of our remaining XP machines are unresponsive for up to 30 minutes after startup until MsMPEng crashes[1].
    It looks like an update either last nicht or this morning introducted this problem.
    The affected machines run FEP 2012 4.3.215.0 with signatures 1.171.1.0.

    After the engine has crashed the system is responsive again until a few mintutes lafter, after the service has restarted, the problem begins anew.

    Does anyone have the same problem or any suggestions? We are currently applying KB2952678 to our SCCM in order to update SECP 4.5.216.0 to see if this fixes it.

    Philipp

    [1]
    http://postimg.org/image/sgofxtshv/
    http://postimg.org/image/jybtpj5xb/
    http://postimg.org/image/z9a8wi1n5/

    Wednesday, April 16, 2014 8:55 AM

All replies

  • We have a server farm 2003, all our server hit a wall this morning, we have removed forfront for now. This has sorted our network. I believe Version 1.171.46.0 has since been released to fix the issue. We have not tested, We will leave it untill out of hours to test.
    Wednesday, April 16, 2014 9:06 AM
  • Hi,

    Same problem for all our XP machines and 2003 servers.

    waiting for the fix :]

    Sylvain.

    Wednesday, April 16, 2014 9:12 AM
  • Our windows XP machines, Laptops and desktops are all affected. Win7 is fine. We have removed FEP from XP and it appears to work. currently have Sig 1.171.1.0 and will be testing the new sig as well.

    .: Lister :.

    Wednesday, April 16, 2014 9:13 AM
  • Same problem. Will report back if signature update resolves the issue.
    Wednesday, April 16, 2014 9:16 AM
  • Same here, about 3500 computers hang at logon
    Wednesday, April 16, 2014 9:18 AM
  • Same here
    Wednesday, April 16, 2014 9:21 AM
  • Hi,

    I suggest that you place a support call to Microsoft to make sure this is fixed.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Wednesday, April 16, 2014 9:23 AM
  • The latest update 1.171.46.0 appears to be working, only rolled out to a few machines currently to test it.

    Latest update can be downloaded from here manually. Working on getting SCCM to deploy the update as XP is crashing it isn't downloading the upadate.

    https://www.microsoft.com/security/portal/definitions/adl.aspx

    What a great way to spend my Wednesday Morning! :)


    .: Lister :.

    Wednesday, April 16, 2014 9:25 AM
  • We have Version 1.171.39.0 of System Center Endpoint Protection, with definitions from 2014-04-16 and we have the same problem for about 750 XP-machines.

    Windows 7 seems unaffected.

    Wednesday, April 16, 2014 9:25 AM
  • hello

    we tested on xp with 1.171.46.0 and the same error

    Wednesday, April 16, 2014 9:27 AM
  • Same here
    Wednesday, April 16, 2014 9:28 AM
  • Hello guys,
    we have same issue too.
    We are trying to install latest SCEP 2012 Signature (1.171.46.0) and Update (4.5.216.0).

    I'll keep you informed.

    Bye,
    Luca

     

    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

    Wednesday, April 16, 2014 9:36 AM
  • he received from microsoft some workaround

    you have to uncheck Enable Behavior Monitorin From Settings

    Wednesday, April 16, 2014 9:41 AM
  • Hi,

    a quick update:

    Neither 4.5.216.0 nor sigs 1.171.46.0 fixes the issue. I have begun to disable the antimalware service on a case-by-case basis to get critical systems up again.

    Philipp

    Wednesday, April 16, 2014 9:58 AM
  • he received from microsoft some workaround

    you have to uncheck Enable Behavior Monitorin From Settings

    currently after 20 minutes after being applied the problem seems to be resolved

    • Proposed as answer by Mike Lister Wednesday, April 16, 2014 10:07 AM
    Wednesday, April 16, 2014 10:03 AM
  • Good solution.

    It worked for us.


    • Edited by Bill pat Wednesday, April 16, 2014 10:04 AM
    Wednesday, April 16, 2014 10:04 AM
  • Removing the tick from Enable Behaviour Monitoring appears to be working for us at the moment, GPO keeps reapplying it so we are currently looking to change that until a new Sig comes out :)


    .: Lister :.

    Wednesday, April 16, 2014 10:08 AM
  • same issues here, we gpo disabled the service for xp systems whilst trying to figure out the cause, will test this now :)
    Wednesday, April 16, 2014 10:11 AM
  • Removing the tick from Enable Behaviour Monitoring appears to be working for us at the moment, GPO keeps reapplying it so we are currently looking to change that until a new Sig comes out :)


    .: Lister :.


    u can unchekit from SCCM console -> Assets and Compliance -> Antimalware Policies -> <your policy> -> real time protection -> enable behavior monitoring -> no
    Wednesday, April 16, 2014 10:13 AM
  • Hello,
    we uncheck "Enable behavior monitoring" from Antimalware Policies and deployed to all clients. On those they got the policy the issue seems to be solved. Thank you Robert Nechita.

    The setting above could be disabled forcing Registry Key DisableBehaviorMonitoring (DWORD) to 1 under the path: HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection*

    * - If you don't disable it from Antimalware Policies, the Registry Key could be set to value 0 again after Machine Policy Retrieval & Evaluation Cyle occurs.

    IS THERE ANY OFFICIAL FEEDBACK FROM MICROSOFT HERE (ABOUT THE ISSUE, NOT THE WORKAROUND) ?

    Bye,
    Luca


    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

    • Proposed as answer by Mike Lister Wednesday, April 16, 2014 10:49 AM
    • Edited by Luca Fabbri Wednesday, April 16, 2014 12:08 PM
    Wednesday, April 16, 2014 10:19 AM
  • We get this error. (just to help search.. I think adress is static with this latest version)
    "Virhesovellus MsMpEng.exe, versio 4.5.216.0, moduuli mpengine.dll, versio 1.1.10501.0, osoite 0x003d684d."




    • Edited by Meitzi Wednesday, April 16, 2014 10:23 AM
    Wednesday, April 16, 2014 10:20 AM
  • definition version 1.171.46.0 fixed the issue for me
    Wednesday, April 16, 2014 10:25 AM
  • mu issue fix with new definition version. Please update your definition.

    Wednesday, April 16, 2014 10:44 AM
  • Thanks Rob, just created a policy for XP machines :) appears to be ok now.

    Will there be a permanent fix for this for future defs?


    .: Lister :.

    Wednesday, April 16, 2014 10:49 AM
  • definition version 1.171.46.0 fixed the issue for me

    This doesn't fix the problem but the 1.171.53.0 does fix the problem
    Wednesday, April 16, 2014 10:54 AM
  • 1.171.53.0 - same problem with Windows XP and Server 2003. :^(
    Wednesday, April 16, 2014 11:05 AM
  • same problem with 1.171.53.0. sorry too soon to call it fixed.
    Wednesday, April 16, 2014 11:06 AM
  • I have about 700 computers with the same problem...

    Wednesday, April 16, 2014 11:14 AM
  • Same problem on our side, over 1800 servers (all 2003 )and some clients hanged. Neither engine or definitions update have worked, we're testing to turn off the behaviour monitoring, i'll keep you posted.

    Gabriel

    Wednesday, April 16, 2014 11:17 AM
  • Testing with Definition 1.171.64.0 now
    Wednesday, April 16, 2014 11:21 AM
  • I have a sneaking suspicion this is due to the Engine update first released in definition 1.171.0.0

    Antimalware Engine 1.1.10501.0 was released to all Microsoft Security Essentials, Forefront Client Security, Forefront Endpoint Protection, Windows Intune Endpoint Protection, and Windows System Center Endpoint Protection customers on 15 April 2014. Signature package 1.171.0.0 is the first that contains this engine.

    From my local testing I have seen the following

    Remote analysis of logs on PC **********:

    • No symptoms until this event; Installation Successful: Windows successfully installed the following update: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.171.46.0)
    • After this event Frequent exceptions relating to the antimalware service appearing up-to every 30 seconds; Faulting application MsMpEng.exe, version 3.0.8402.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.
    • Until this event; Microsoft Security Client successfully applied security policy: "**************Policy XP". (This has behaviour monitoring disabled)
    • After this no more exceptions have been logged from the Antimalware service.

    Wednesday, April 16, 2014 11:26 AM
  • Testing with Definition 1.171.64.0 now
    1.171.64.0 - Seems to work fine, just tested on a couple of 2003 and one XP. :^)
    Wednesday, April 16, 2014 11:35 AM
  • same issue here.  Client Version 4.5.216.0 and 1.171.46.0

    Microsoft what are you doing????

    Wednesday, April 16, 2014 11:36 AM
  • Testing with Definition 1.171.64.0 now

    1.171.64.0 - Seems to work fine, just tested on a couple of 2003 and one XP. :^)

    no problem here either. But want to see it running for 30 minutes before I trust it
    Wednesday, April 16, 2014 11:41 AM

  • I only found 1.171.53.0 at https://www.microsoft.com/security/portal/definitions/adl.aspx

    Where can I find 1.171.64.0 version?  

    Chaotic..



    Wednesday, April 16, 2014 11:43 AM

  • I only found 1.171.53.0 at https://www.microsoft.com/security/portal/definitions/adl.aspx

    Where can I find 1.171.64.0 version?  

    Chaotic..

    ----------------------

    Got mine from Windows update


    Wednesday, April 16, 2014 11:54 AM
  • definition version 1.171.46.0 fixed the issue for me

    Where can I find it
    Wednesday, April 16, 2014 12:10 PM
  • Yeah, same problem. Usually they release the full package a few minutes later than the DELTA ones ... we just have to wait i think.

    We're testing 1.171.64 got from Windows Update, seems good so far...

    Gabriel

    • Proposed as answer by ChiefMC Wednesday, April 16, 2014 1:19 PM
    Wednesday, April 16, 2014 12:10 PM
  • Has anyone found a direct download for the 1.171.64 Definition? If so could someone throw us out the link? :)

    Edit: Nevermind, .64 definitions just showed up in our SCCM server.

    • Edited by Eli Misel Wednesday, April 16, 2014 12:24 PM
    Wednesday, April 16, 2014 12:21 PM
  • Has anyone found a direct download for the 1.171.64 Definition? If so could someone throw us out the link? :)

    So Far I have only been able to DL it via. Windows Update
    Wednesday, April 16, 2014 12:23 PM
  • I got it though WSUS and SCCM. Distributed it to my Clients also.

    Try do do a Manual sync of your WSUS.

    Wednesday, April 16, 2014 12:26 PM
  • So far 1.171.64 have fixed the problem for all the servers in our hosting enviroment
    Wednesday, April 16, 2014 12:34 PM
  • new 1.171.67

    http://www.microsoft.com/security/portal/shared/prereleasesignatures.aspx

    Microsoft pre-release definition updates

    Latest pre-release definition version: 1.171.67.0

    Microsoft offers partially-tested pre-release definition updates for download before the fully-tested (released) version is available. These updates are listed below.

    You can use these pre-release definitions to clean infected computers. You can also use them to protect computers that are at an immediate risk of infection. The pre-release definition update is not meant for enterprise-wide deployment.

    Pre-release updates are explicitly created for malicious software threats. You should not deploy a pre-release definition update if you are not experiencing a threat for which it was explicitly created.

    Note: After additional testing, certain pre-release definition updates will be released as regular definition updates. The same binary file that was used for the pre-release definition update may be used for the released definition update.

    Wednesday, April 16, 2014 12:45 PM
  • We are just wrapping up cleanup on our end.

    I've opened case with MS Premier Support as well. They have confirmed what was already said here on the forums.

    To fix this, as said earlier, synch. latest update in your WSUS/SCCM, if you get updates from Microsoft directly, you can run

    "<c:\Program Files\Microsoft Security Client\MpCmdRun.exe>" -SignatureUpdate to force update of definition updates.

    If you use ADR in SCCM, just synch. updates with wsus, and manually kick off your ADR to be downloaded and deployed.

    On Servers 2003, SCEP service will be most likely stopped, so you will have to enable the service first, then force the update.

    As for behavioral monitoring setting, Microsoft rep. has told me that this setting has been fixed in latest release but they still recommend to keep behavioral monitoring off on XPs and 2003 Servers until official statement.




    Wednesday, April 16, 2014 2:09 PM
  • Sorry to report bad information. 1.171.46.0 did not fix the problem. We ended up turning off Behavior Monitoring and await official word from Microsoft.

    Good information - http://msmvps.com/blogs/kenlin/archive/2014/04/16/winxp-and-or-win2003-with-sc-forefront-endpoint-protection-installed-msmpeng-exe-crashes-after-definition-update.aspx
    Wednesday, April 16, 2014 3:14 PM
  • .64 fixes the problem, not 46.

    Wednesday, April 16, 2014 3:21 PM
  • We updated our definitions to 1.171.64 and turned off Behavior Monitoring and that immediately fixed any issues that we had in our environment.  We still had a few computers that seem to be running on version 46 and Behavior Monitoring turned on, not sure how or why but they are.  I think as long as the machine has not rebooted recently, which updates were released in our environment this morning, then they are somewhat okay.  Be interesting to see if Microsoft will even comment on this due to XP no longer being "supported." 
    Wednesday, April 16, 2014 6:06 PM
  • We ended up disabling real-time protection all together as our initial step as this was affecting 165 machines. So now we are going to make sure the latest definition is in place and then re-enable real-time protection without behavior monitoring enabled.

    Will post once we've completed the process.


    Scott M. Phoenix, AZ

    Wednesday, April 16, 2014 6:07 PM
  • Hi I have the same problem early morning with a few of the Windows XP machines with installed Fore Front Endpoint Protection, but I didn't checked what were the definitions installed on these systems.

    To prevent hanging of the system I have unchecked(removed) the tick from Enable Behaviour Monitoring from one of the Windows 2008 R2 Servers.

    About Windows 2003 Servers ...
    I have also uninstalled the SCEP from Windows 2003 R2 Server, because I am worry about it when I read these lines above.

    Is it possible to have the same problem with Windows Server 2008 R2 with SCEP 2012 with definition version 1.171.46.0?

    What is the official opinion and decision of Microsoft.

    Wednesday, April 16, 2014 7:48 PM
  • Looks like MS is going to release updates, but haven't officially stated that it's ok to tick the Behavior Monitoring back on yet.

    On our Server 2003 systems, unticking that box worked, didn't need to fully uninstall.  Just a note.

    Wednesday, April 16, 2014 8:03 PM
  • Unfortunately version 1.171.46.0 not fix the issue. This is only my opinion. This morning I have problems again with XP with FEP definition 1.171.46 and 1.171.106.0.
    The problems is still continue, if you not uncheck the behavior and this not depends of the installed antivirus definitions.
    Thursday, April 17, 2014 6:43 AM
  • Hello,
    I summarise here all information coming from this TechNet Forums post.

    Starting from Signature Version 1.171.64.0 the problem should be solved on Windows XP (and Windows Server 2003) machines.
    You can launch Signature Update manually: %ProgramFiles%\Microsoft Security Client\MpCmdRun.exe -SignatureUpdate.

    Otherwise you can disable "Enable behaviour monitoring" (under SCEP client Settings) following one of points below:

    • Opening System Center Endpoint Protection client => Settings => Real-time protection => uncheck Enable behaviour monitoring
    • Setting Registry Key DisableBehaviorMonitoring (DWORD) to 1 under the path HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection; (command: REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_dword /d 1 /f)
    • If SCEP is used in conjunction with SCCM 2012, then you can change it centrally and push the policy to all of you computers: SCCM console => Assets and Compliance => Endpoint Protection => Antimalware Policies => choose the policy to be modified => right click and then Properties => Real-time protection => set Enable behavior monitoring to No

    Bye,
    Luca


    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

    • Proposed as answer by Andrzej Jaracz Thursday, April 17, 2014 9:30 AM
    • Edited by Luca Fabbri Thursday, April 17, 2014 9:58 AM
    Thursday, April 17, 2014 7:35 AM
  • Next Action from Microsoft:

    We are pending a release of a definition update so BM can be enabled again. We will actively communicate out again as soon as the definition becomes available.

    How to Disable Behavior Monitoring feature:

    1. Configure Policy with SCCM

    2. Configure Policy by GPO

    Distribute the Machine Startup/Shutdown Script in registry by using GPO

    Batch:

    reg add "HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_dword /d 1 /f

    3. Update Registry by entering SafeMode

    You can also set below registry value to disable BM:

    HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection DisableBehaviorMonitoring = 1  (REG_DWORD)

    4. FEP - Applying Policies from the Command Prompt

    http://technet.microsoft.com/en-us/library/gg412477.aspx

    Thursday, April 17, 2014 7:10 PM
  • Does it appear that the latest updates have fixed the issue with behavior monitoring?

    I didn't find any "official" blog/ news stating such.

    Thanks

    Monday, April 21, 2014 1:04 PM