Why is MsMpEng.exe using so much CPU?
- It's always running high on CPU when any process is using CPU.
It really lags my Windows XP systems.
Are there any ways of optimizing MsMpEng, which I understand is Microsoft Malware Protection.
I run version 1.5.1958 on ForeFront Client Security on updated Windows XP Pro systems (all updates)
Answers
Hi,
Thank you for your update.
I am sorry for misunderstanding. As this issue is very common with OneCare and Windows Defender, I think the principle is the same. The MSMPENG.EXE may consume memory and CPU when a scan is running. Meanwhile, this issue may also occur when there is a conflict with other process or service.
To narrow down this issue, we need more information. Could you show us more detail information?
1. In which scenario MSMPENG.exe high CPU issue will happen (such as rebooting, or FCS scanning)?
2. Is the high CPU issue always able to reproduce?
3. How long the high CPU issue may last? High CPU forever? Or just last for several minutes?
4. How many clients of all occur this issue?
As FCS client leverages Automatic Update service, there is known issue for high CPU issue. You may have known it:
http://support.microsoft.com/kb/927891/en-us
We suggest to install this update to all client machines to avoid hitting this possible high cpu issue.
Regards,
Nick Gu - MSFT- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorThursday, May 14, 2009 2:07 AM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, May 18, 2009 1:11 AM
All Replies
- Is it doing a scan possibly? If not then you can examine c:\documents and settings\all users\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support and the MPlog-DATE.log file and see if you have any "Expensive" files listed during the time as it may be due to a file read/write pattern that is strange where you may need an exclusion for that file.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorThursday, May 07, 2009 2:19 AM
Hi,
Thank you for your post.
According to your description, I understand that: MSMPENG.exe are taking excessive CPU.
Based on my experience, MSMPENG is the antimalware detection engine shared by OneCare and Windows Defender. If MSMPENG.EXE is constantly consuming excessive memory and CPU, there is a conflict on your PC with another process or service. I would recommend disabling all startup items via MSCONFIG. If the problem goes away, enable startup items one at a time until the conflict is identified.
When the scanning is ended, your machine won’t have this MsMpEng.exe running, waiting for the next Quick Scan. You can do the following:
1) Immediately stop the scan by calling Windows Defender and stopping it.
2) Remove schedule scan form Windows Defender in Options. Recommendation is to keep it on schedule.
3) Change hour of this scheduled scanning to a more convenient for your activities, for instance during your lunch times.
Regards,
Nick Gu - MSFT- I doubt this is a scan, since our group policy says that Forefront should scan each wednesday at 03:00
Why do you talk of Windows Defender or OneCare? I'm using ForeFront. Hi,
Thank you for your update.
I am sorry for misunderstanding. As this issue is very common with OneCare and Windows Defender, I think the principle is the same. The MSMPENG.EXE may consume memory and CPU when a scan is running. Meanwhile, this issue may also occur when there is a conflict with other process or service.
To narrow down this issue, we need more information. Could you show us more detail information?
1. In which scenario MSMPENG.exe high CPU issue will happen (such as rebooting, or FCS scanning)?
2. Is the high CPU issue always able to reproduce?
3. How long the high CPU issue may last? High CPU forever? Or just last for several minutes?
4. How many clients of all occur this issue?
As FCS client leverages Automatic Update service, there is known issue for high CPU issue. You may have known it:
http://support.microsoft.com/kb/927891/en-us
We suggest to install this update to all client machines to avoid hitting this possible high cpu issue.
Regards,
Nick Gu - MSFT- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorThursday, May 14, 2009 2:07 AM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, May 18, 2009 1:11 AM
I am having problems with mapped drives getting scanned while running our corporate application. It is also happening while access a network url \\server\share.
Application is launched and MSMPENG.exe takes 50-98% of the CPU for several minutes. I have run Filemon while launching and MSMPENG.EXE hits every file on the mapped drive.
occurs on all clients..
so.
1. FCS MSMPENG.exe (Malware protection??) scanning when launching an application or accessing a network resource.
2. always reproduceable
3. several minutes if only one network resource... so if using network resources continuously... it lasts continuously.
4. all clients that use the corporate software and access network resources.
Regards,- Just exclude the processes and folders from forefront scanning. AV software puts a burden on any machine because it interupts I/O operations, so in all likelyhood your going to have to configure it not to scan certain heavily used files. Typically you exclude log files, database files, and directories that do group processing. That can be configured on the client locally or via group policy. To configure exclusion on your machines, to this:
1. Right click the green check box in your system tray
2. Click tools
3. Click Options
There you can exlude files by types, paths, or accessing process (like SQL.exe)
Please give me points if this helps, I only need 2000 to get to the next level. (Vote as Helpful)- Edited byMGMNVA Tuesday, June 30, 2009 2:25 PMEdited typos
Just exclude the processes and folders from forefront scanning. AV software puts a burden on any machine because it interupts I/O operations, so it all likelyhood your going to have to configure it not to scan certain heavily used files. Typically you exclude log files, database files, and directories that do group processing. That can be configured on the client locally or via group policy. To configure exclusion on your machines, to this:
1. Right click the green check box in your system tray
2. Click tools
3. Click Options
There you can exlude files by, types, paths, or accessing process (like SQL.exe)
Please give me points if this helps, I only need 2000 to get to the next level. (Vote as Helpful)
File types and paths can be set on the management server, processes must be set by either the user (you must allow the user to do this in the management console), or you have to add them to the registry through some scripting process. I haven't had too many issues with running processes though...- HAL07,
We had a similar problem, a couple important things to note:
File exclusions:
I don't know what your file exclusions look like, be sure to follow what is recommended here:
http://support.microsoft.com/default.aspx/kb/822158/
Also, exclude any expensive files..
Forefront Client Security Assessment Service:
I disabled the Forefront Client Security Assessment Service as it was resulting in high CPU usage, this can be done through the Forefront Management Console. In addition, you may want to disable the FcsSas service on your clients as it's not being utilized. I'm not sure what your infrastructure looks like, but if you have SCCM or SMS you can script this to turn it off. Let me know if you need an example.
Definition updates:
An issue has been identified with the way Forefront client handles definition updates, resulting in the entire catalog being cached down unnecessarily; from what I hear the issue is being worked on. Until then, I had to increase the amount of time clients looked for definition updates to 20-24 hours; the default is set at 6 hours.
You can also run the diagnostic utility located here:
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware
Run mpcmdrun –trace
Let it run for about a minute and open it with SMS Trace (beware the file is quite large). It will alert you to any expensive files (which can be excluded, be cautious when doing this) and also what the application is doing.
I hope this helps! - Michaelk123,I'm very interested in the tool you've mentioned (MPCMDRUN).however, when I run it on trace mode it generates a BIN file. I could not read it using SMS Trace 2003. When I open it, it shows a blank screen.I could only open it using Notepad++ but as it is on BIN mode, it just displays garbage.can you help?Thanks!
