none
System Center Endpoint Protection - error 0x80004005 RRS feed

  • Question

  • Hi,

    Not sure where to place this thread, please move if necessery.

    We're having an issue in two completely different customer environments. The Microsoft Antimalware Service stops and in some occasions the servers hangs. In the Event Viewer the following event occurs (ID 3002). On some servers we had to uninstall FEP completely, restarting the service or server didn't resolve the issue. Memory and CPU levels seems normal.

    Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.

    Feature: On Access

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.

    The following signatures are updated:

    Microsoft Antimalware signature version has been updated.

    Current Signature Version: 1.171.1.0

    Previous Signature Version: 1.169.2706.0

    Signature Type: AntiSpyware

    Update Type: Full

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: 1.1.10501.0

    Previous Engine Version: 1.1.10401.0

    Has anyone seen this before?

    Thanks.

    • Moved by TorstenMMVP Wednesday, April 16, 2014 7:35 AM moved
    Wednesday, April 16, 2014 7:31 AM

Answers

All replies

  • We are having the same issue. Only seems to be affecting 2003 servers at the moment.
    Wednesday, April 16, 2014 7:36 AM
  • It's a known issue with the newest SCEP definitions (1.171.1.0).

    As a workaround, you need to disable behavior monitoring or apply the following reg. fix:

    HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection DisableBehaviorMonitoring = 1  (REG_DWORD)


    If you have SCCM, you can change the SCEP policy to disable behavior monitoring and push the changed settings to clients.
    • Edited by Rok Nemec_1 Wednesday, April 16, 2014 8:14 AM
    • Proposed as answer by Rok Nemec_1 Wednesday, April 16, 2014 11:17 AM
    • Unproposed as answer by Rok Nemec_1 Wednesday, April 16, 2014 11:17 AM
    • Proposed as answer by Rok Nemec_1 Wednesday, April 16, 2014 11:18 AM
    Wednesday, April 16, 2014 7:44 AM
  • we also have a problem with FEP 
    On our XP computers FEP crashes and the system is slow 
    The application "c: \ Program Files \ Microsoft Security Client \ MsMpEng.exe", generated an application error. Date and time of the error: 16/04/2014 09:15:11.635 to exception: c0000005 at address 5A4D684D (mpengine! FreeSigFiles)
    Wednesday, April 16, 2014 7:49 AM
  • Same problem here but not affecting all XP PCs.

    Maybe only these which are not covered by a volume license?

    Wednesday, April 16, 2014 8:00 AM
  • Same issue here ... affected all XP Clients with FEP and 1.171.1.0 ... but all Clients volume-licensed
    Wednesday, April 16, 2014 8:03 AM
  • Here's the solution:

    On the affected computer with administrator privileges to go to the folder:

    C:\Program Files\Microsoft Security Client\

    And there run the command:

    MpCmdrun -RemoveDefinitions

    or

     MpCmdrun -RemoveDefinitions -All

    SCEP should be started.

    • Proposed as answer by Yuri Kuvshinov Wednesday, April 16, 2014 8:05 AM
    Wednesday, April 16, 2014 8:04 AM
  • Nope removing the defs didnt fix us, tried that one hours ago ;)
    Wednesday, April 16, 2014 8:06 AM
  • Hello, 

    I'm having the same issue with all XP in my organization. Any fix for today?

    regards,

    Ionut B

    Wednesday, April 16, 2014 8:06 AM
  • Nope removing the defs didnt fix us, tried that one hours ago ;)

    You need to rollback to the version below 1.171.1.0

    If the command

    MpCmdrun -RemoveDefinitions

    does not help, try this 

    MpCmdrun -RemoveDefinitions -All

    • Proposed as answer by postertag Wednesday, April 16, 2014 8:14 AM
    Wednesday, April 16, 2014 8:09 AM
  • I try to turn off the real-time protection

    Wednesday, April 16, 2014 8:10 AM
  • It's a known issue with the newest SCEP definitions (1.171.1.0).

    As a workaround, you need to disable behavior monitoring or apply the following reg. fix:

    HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection DisableBehaviorMonitoring = 1  (REG_DWORD)

    Thanks, it works.
    • Proposed as answer by Michal Fajta Wednesday, April 16, 2014 9:44 AM
    Wednesday, April 16, 2014 8:13 AM
  • Just to link this in the other direction to a thread I started about the same issue http://social.technet.microsoft.com/Forums/en-US/91c672fb-2b0a-4653-815b-3fb1a2dd343b/msmpsvc-terminates-with-definitions-117110-on-server-2003?forum=configmanagersecurity

    Is there any official info/docs/kb article about this yet?

    Wednesday, April 16, 2014 8:17 AM
  • Since this morning we're experiencing a similar issue with signature version 1.171.1.0.

    MsMpEng.exe crashes every few minutes with Application Error event id 1000

    This is SCEP 2012 on Windows 2008 R2 however.

    The crashes started 5 minutes after the signatures update was installed.


    Update: Disabling the behavior monitoring has stopped the crashes for us.
    Wednesday, April 16, 2014 8:22 AM
  • I applied the reghack but problem still exists. 
    Wednesday, April 16, 2014 8:24 AM
  • For us this works EP turn of on the SCCM2012

    - restart client (takes 15 min and more)

    - wait

    -red window with the the information that realtime protection is not working / EP symbol is red

    - restart client (normal speed)

    - status of realtime protection ist "deaktivated" EP symbol is green


    Wednesday, April 16, 2014 9:01 AM
  • Reg fix is working for me on Server 2003, but note that you have to spell behaviour in the American way without a "u", i.e. behavior (or copy and paste from above!) :-)
    Wednesday, April 16, 2014 9:04 AM
  • Had the same issue with definition version 1.171.1.0, disabling the "Behaviour Monitoring" has resolved the issue for now.

    Has anyone tested with the new 1.171.46.0 definitions to determine if the issue has been fixed?

    Wednesday, April 16, 2014 9:23 AM
  • If you are using Antimalware Policies the registry key is here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection

    We are still testing though...

    Wednesday, April 16, 2014 9:27 AM
  • Has anyone tested with the new 1.171.46.0 definitions to determine if the issue has been fixed?

    Nope. The 1.171.46.0 doesn't solve the issue. Tested with two XP systems. I stopped the Microsoft AntiMalware service on my 2003 Servers, just to be sure. The haven't updated the definitions yet, so they are still running...

    Wednesday, April 16, 2014 9:28 AM
  • No, updating to newer definitions leaves our 2003-machines hanging.
    Wednesday, April 16, 2014 9:34 AM
  • To stop the real-time scanner has helped us. 
    Some clients have now already the 1.171.46.0 installed. 
    I will still leave the real time scanner still disabled.
    Wednesday, April 16, 2014 9:45 AM
  • On one of my 2003 x86 servers I've updated the defs to 1.171.46.0 and removed the DisableBehaviorMonitoring registry value. So far the service has not broken.

    Has only been about ten minutes, but based on what I was seeing earlier it looks like it might be fixed. Will update if it breaks.

    This server is running:

    Antimalware Client Version: 4.5.216.0

    Engine Version: 1.1.10501.0

    Wednesday, April 16, 2014 9:45 AM
  • On one of my 2003 x86 servers I've updated the defs to 1.171.46.0 and removed the DisableBehaviorMonitoring registry value. So far the service has not broken.

    I think if you not restart the service, it will not reread the registry value. So don't restart the service till it's fixed by Microsoft.
    Wednesday, April 16, 2014 9:54 AM
  • On my server(s) the GUI seems to reflect the registry fairly quickly, but I did restart the service via the services.msc anyway. It still has yet to fail.

    Wednesday, April 16, 2014 10:00 AM
  • We just received a call from Microsoft to disable the SCEP behavor monitoring as a workaround
    • Proposed as answer by Nico Buma Wednesday, April 16, 2014 10:33 AM
    Wednesday, April 16, 2014 10:10 AM
  • Microsoft will be releasing an engine update today (no precise ETA yet)

    Hopefully it's stated as a SCEP issue and XP/2003 will benefit of that update despite beeing out of support period.

    Fingers crossed here !

    Wednesday, April 16, 2014 10:38 AM
  • OK, service failed. Took just under an hour to die. So on this server the 1.171.46.0 defs have not fixed the problem.
    Wednesday, April 16, 2014 10:52 AM
  • New def is up 1.171.53.0
    Wednesday, April 16, 2014 10:54 AM
  • New defs are aup 1.171.64.0
    Wednesday, April 16, 2014 10:55 AM
  • latest now is 1.171.64.0

    Wednesday, April 16, 2014 10:56 AM
  • We have the same issue on around 80 XP machines. We need a fix fast please. Has anybody tested the SCEP updates? We installed 1.171.460 and it did not solve the problem.
    Wednesday, April 16, 2014 10:58 AM
  • Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system*. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.

    This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.

    For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.

    http://blogs.technet.com/b/mmpc/archive/2014/01/15/microsoft-antimalware-support-for-windows-xp.aspx

    Wednesday, April 16, 2014 11:00 AM
  • Check Martin Elflein's answer
    Wednesday, April 16, 2014 11:07 AM
  • That seems to work on my test machine. After the option is diabled and the machine is rebooted the errors disappear. It's a workaround, but not a solution yet. I hope Microsoft will release an update wich resolves the problem.
    Wednesday, April 16, 2014 11:09 AM
  • latest now is 1.171.64.0


    Anyone tried that on an affected XP System?
    Wednesday, April 16, 2014 11:24 AM
  • The workaroung is ok.

    You can search with sccm the machine with "behavior monitoring" enable with this sql query:

    select distinct T2.Name from dbo.EP_AntimalwareHealthStatus T1, dbo.CollectionMembers T2 where T1.MachineID = T2.MachineID AND T1.BehaviorMonitorEnabled=1

    You can find machine with signature 1.171.* with this:

    select distinct T2.Name from dbo.EP_AntimalwareHealthStatus T1, dbo.CollectionMembers T2 where T1.MachineID = T2.MachineID AND T1.AntispywareSignatureVersion like '1.171.%'

    We hope Microsoft release an update quickly!

    Lionel Traverse

    MCSE/MCT

    France / Paris

    Wednesday, April 16, 2014 11:27 AM
  • Installed 1.171.64.0 about 15 mins ago on a test machine with XP.

    Disabled the workaround. So Behaviour monitoring is enabled again.

    So far no problems.

    Wednesday, April 16, 2014 11:30 AM
  • Another 15 minutes down... Still no problems.
    Wednesday, April 16, 2014 11:46 AM
  • OK, I updated the definitions to 1.171.64.0 on a XP machine and disabled the workaround. It seems to work. But it was only a few minutes ago. Still watching...
    Wednesday, April 16, 2014 11:56 AM
  • is the .64 available thru the definitions page yet? or just SCCM?
    • Proposed as answer by Maxime Massant Wednesday, April 16, 2014 12:30 PM
    Wednesday, April 16, 2014 12:10 PM
  • I second that, I am currently in safe mode so cannot automatically download it. I got to the definitions page, download it and its still 53.

    KevHal

    Wednesday, April 16, 2014 12:41 PM
  • Seems that 1.171.64.0 is working ok. Definition updates are distributed using SCCM. Some machines that were stuck at logon screen have updated definitions to 1.171.64.0. On SCCM we deleted all previous definions, forced definition update on clients, than forced machine update policy, than again forced definition update on clients.

    Right now, out of ~700 machines only 84 have definitions 1.171.1, 1.171.46 or 1.171.53.

    Wednesday, April 16, 2014 1:13 PM
  • How are all of you getting the 1.171.64.0 version?... when I run the update from the endpoint, the latest I get is 1.171.53.0.  Thanks.
    Wednesday, April 16, 2014 2:08 PM
  • On SCCM
    Wednesday, April 16, 2014 2:13 PM
  • The Microsoft Support answer us: "The temporary solution is to disable Behavior Monitoring in the Antimalware Policies on the SCCM server.i

    AND:

    The next signature package fix the problem: http://www.microsoft.com/security/portal/shared/prereleasesignatures.aspx"

    This morning the "next signature" was 1.171.64 and now 1.171.67 is prereleased.

    We are testing with 1.171.64, all seems ok but we are waiting for 1.171.67 for final validation process.

    Lionel

    Wednesday, April 16, 2014 2:25 PM
  • 1.171.64.0 working just fine
    Wednesday, April 16, 2014 2:56 PM
  • We had this problem on 10 PC's this morning. 

    I've so far installed the 1.171.64.0 update on 2 of them, but unfortunately 1 reverted back to the previous behaviour.

    The other though; touch wood, is ok for now.


    Wednesday, April 16, 2014 3:57 PM
  • v1.171.67.0 seemed to fix it, where .48 still seemed to exhibit problems on some of our 2003 servers.  We had to pull the latest defs down manually as mpam-fe.exe, and ran on our servers which resolved the issue.

    Link to obtain:

    http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86


    Wednesday, April 16, 2014 4:19 PM
  • SCCM updated automatically and distribute this update (on workstation) or not ?
    Wednesday, April 16, 2014 4:23 PM
  • Here is our fix for the school district: http://www.coryfiala.com/windows-xp-msmpeng-exe-application-error-0x5a4d684d/

    -Safemode

    -Disable Monitor Behavior

    -Login Update Endpoint

    -Re-enable behavior

    -Done!

    Wednesday, April 16, 2014 7:42 PM
  • Hi,

    The latest definition updates fixed the problems for my customer

    Regards,
    Hau

    Thursday, April 17, 2014 2:49 AM
  • Hi,

    The latest definition updates fixed the problems for my customer

    Regards,
    Hau


    Same here. Thanks everyone!
    • Edited by RonHextall Thursday, April 17, 2014 5:16 AM
    Thursday, April 17, 2014 5:15 AM
  • To confirm, I can enable behavior monitoring again if the latest definitions are installed?

    Also, did Microsoft release an official statement somewhere about this?

    Wednesday, April 23, 2014 11:02 AM