All replies

• 

  

  0

  Sign in to vote

  We have a server farm 2003, all our server hit a wall this morning, we have removed forfront for now. This has sorted our network. I believe Version 1.171.46.0 has since been released to fix the issue. We have not tested, We will leave it untill out of hours to test.

  Wednesday, April 16, 2014 9:06 AM
• 

  

  0

  Sign in to vote

  Hi,

  Same problem for all our XP machines and 2003 servers.

  waiting for the fix :]

  Sylvain.

  Wednesday, April 16, 2014 9:12 AM
• 

  

  0

  Sign in to vote

  Our windows XP machines, Laptops and desktops are all affected. Win7 is fine. We have removed FEP from XP and it appears to work. currently have Sig 1.171.1.0 and will be testing the new sig as well.

  ---

  .: Lister :.

  Wednesday, April 16, 2014 9:13 AM
• 

  

  0

  Sign in to vote

  Same problem. Will report back if signature update resolves the issue.

  Wednesday, April 16, 2014 9:16 AM
• 

  

  0

  Sign in to vote

  Same here, about 3500 computers hang at logon

  Wednesday, April 16, 2014 9:18 AM
• 

  

  0

  Sign in to vote

  Same here

  Wednesday, April 16, 2014 9:21 AM
• 

  

  0

  Sign in to vote

  Hi,

  I suggest that you place a support call to Microsoft to make sure this is fixed.

  Regards,
  Jörgen

  ---

  -- My System Center blog ccmexec.com -- Twitter @ccmexec

  Wednesday, April 16, 2014 9:23 AM
• 

  

  0

  Sign in to vote

  The latest update 1.171.46.0 appears to be working, only rolled out to a few machines currently to test it.

  Latest update can be downloaded from here manually. Working on getting SCCM to deploy the update as XP is crashing it isn't downloading the upadate.

  https://www.microsoft.com/security/portal/definitions/adl.aspx

  What a great way to spend my Wednesday Morning! :)

  ---

  .: Lister :.

  Wednesday, April 16, 2014 9:25 AM
• 

  

  0

  Sign in to vote

  We have Version 1.171.39.0 of System Center Endpoint Protection, with definitions from 2014-04-16 and we have the same problem for about 750 XP-machines.

  Windows 7 seems unaffected.

  Wednesday, April 16, 2014 9:25 AM
• 

  

  0

  Sign in to vote

  hello

  we tested on xp with 1.171.46.0 and the same error

  Wednesday, April 16, 2014 9:27 AM
• 

  

  0

  Sign in to vote

  Same here

  Wednesday, April 16, 2014 9:28 AM
• 

  

  0

  Sign in to vote

  Hello guys,
  we have same issue too.
  We are trying to install latest SCEP 2012 Signature (1.171.46.0) and Update (4.5.216.0).

  I'll keep you informed.

  Bye,
  Luca

   

  ---

  Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

  Wednesday, April 16, 2014 9:36 AM
• 

  

  0

  Sign in to vote

  he received from microsoft some workaround

  you have to uncheck Enable Behavior Monitorin From Settings

  Wednesday, April 16, 2014 9:41 AM
• 

  

  0

  Sign in to vote

  Hi,

  a quick update:

  Neither 4.5.216.0 nor sigs 1.171.46.0 fixes the issue. I have begun to disable the antimalware service on a case-by-case basis to get critical systems up again.

  Philipp

  Wednesday, April 16, 2014 9:58 AM
• 

  

  4

  Sign in to vote

  he received from microsoft some workaround

  you have to uncheck Enable Behavior Monitorin From Settings

  currently after 20 minutes after being applied the problem seems to be resolved

  • Proposed as answer by Mike Lister Wednesday, April 16, 2014 10:07 AM

  Wednesday, April 16, 2014 10:03 AM
• 

  

  0

  Sign in to vote

  Good solution.

  It worked for us.

  
  

  • Edited by Bill pat Wednesday, April 16, 2014 10:04 AM

  Wednesday, April 16, 2014 10:04 AM
• 

  

  0

  Sign in to vote

  Removing the tick from Enable Behaviour Monitoring appears to be working for us at the moment, GPO keeps reapplying it so we are currently looking to change that until a new Sig comes out :)

  ---

  .: Lister :.

  Wednesday, April 16, 2014 10:08 AM
• 

  

  0

  Sign in to vote

  same issues here, we gpo disabled the service for xp systems whilst trying to figure out the cause, will test this now :)

  Wednesday, April 16, 2014 10:11 AM
• 

  

  0

  Sign in to vote

  Removing the tick from Enable Behaviour Monitoring appears to be working for us at the moment, GPO keeps reapplying it so we are currently looking to change that until a new Sig comes out :)

  ---

  .: Lister :.

  
  u can unchekit from SCCM console -> Assets and Compliance -> Antimalware Policies -> <your policy> -> real time protection -> enable behavior monitoring -> no

  Wednesday, April 16, 2014 10:13 AM
• 

  

  1

  Sign in to vote

  Hello,
  we uncheck "Enable behavior monitoring" from Antimalware Policies and deployed to all clients. On those they got the policy the issue seems to be solved. Thank you Robert Nechita.

  The setting above could be disabled forcing Registry Key DisableBehaviorMonitoring (DWORD) to 1 under the path: HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection*

  * - If you don't disable it from Antimalware Policies, the Registry Key could be set to value 0 again after Machine Policy Retrieval & Evaluation Cyle occurs.

  IS THERE ANY OFFICIAL FEEDBACK FROM MICROSOFT HERE (ABOUT THE ISSUE, NOT THE WORKAROUND) ?

  Bye,
  Luca

  ---

  Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

  • Proposed as answer by Mike Lister Wednesday, April 16, 2014 10:49 AM
  • Edited by lucafabbri365 Wednesday, April 16, 2014 12:08 PM

  Wednesday, April 16, 2014 10:19 AM
• 

  

  0

  Sign in to vote

  We get this error. (just to help search.. I think adress is static with this latest version)
  "Virhesovellus MsMpEng.exe, versio 4.5.216.0, moduuli mpengine.dll, versio 1.1.10501.0, osoite 0x003d684d."
  

  
  
  
  

  • Edited by Meitzi Wednesday, April 16, 2014 10:23 AM

  Wednesday, April 16, 2014 10:20 AM
• 

  

  0

  Sign in to vote

  definition version 1.171.46.0 fixed the issue for me

  Wednesday, April 16, 2014 10:25 AM
• 

  

  0

  Sign in to vote

  mu issue fix with new definition version. Please update your definition.

  Wednesday, April 16, 2014 10:44 AM
• 

  

  0

  Sign in to vote

  Thanks Rob, just created a policy for XP machines :) appears to be ok now.

  Will there be a permanent fix for this for future defs?

  ---

  .: Lister :.

  Wednesday, April 16, 2014 10:49 AM
• 

  

  0

  Sign in to vote

  definition version 1.171.46.0 fixed the issue for me

  
  This doesn't fix the problem but the 1.171.53.0 does fix the problem

  Wednesday, April 16, 2014 10:54 AM
• 

  

  0

  Sign in to vote

  1.171.53.0 - same problem with Windows XP and Server 2003. :^(

  Wednesday, April 16, 2014 11:05 AM
• 

  

  0

  Sign in to vote

  same problem with 1.171.53.0. sorry too soon to call it fixed.

  Wednesday, April 16, 2014 11:06 AM
• 

  

  0

  Sign in to vote

  I have about 700 computers with the same problem...
  

  Wednesday, April 16, 2014 11:14 AM
• 

  

  0

  Sign in to vote

  Same problem on our side, over 1800 servers (all 2003 )and some clients hanged. Neither engine or definitions update have worked, we're testing to turn off the behaviour monitoring, i'll keep you posted.

  Gabriel

  Wednesday, April 16, 2014 11:17 AM
• 

  

  0

  Sign in to vote

  Testing with Definition 1.171.64.0 now

  Wednesday, April 16, 2014 11:21 AM
• 

  

  1

  Sign in to vote

  I have a sneaking suspicion this is due to the Engine update first released in definition 1.171.0.0

  Antimalware Engine 1.1.10501.0 was released to all Microsoft Security Essentials, Forefront Client Security, Forefront Endpoint Protection, Windows Intune Endpoint Protection, and Windows System Center Endpoint Protection customers on 15 April 2014. Signature package 1.171.0.0 is the first that contains this engine.

  From my local testing I have seen the following

  Remote analysis of logs on PC **********:

  • No symptoms until this event; Installation Successful: Windows successfully installed the following update: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.171.46.0)
    
  • After this event Frequent exceptions relating to the antimalware service appearing up-to every 30 seconds; Faulting application MsMpEng.exe, version 3.0.8402.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.
    
  • Until this event; Microsoft Security Client successfully applied security policy: "**************Policy XP". (This has behaviour monitoring disabled)
    
  • After this no more exceptions have been logged from the Antimalware service.

  Wednesday, April 16, 2014 11:26 AM
• 

  

  0

  Sign in to vote

  Testing with Definition 1.171.64.0 now

  1.171.64.0 - Seems to work fine, just tested on a couple of 2003 and one XP. :^)
  

  Wednesday, April 16, 2014 11:35 AM
• 

  

  0

  Sign in to vote

  same issue here.  Client Version 4.5.216.0 and 1.171.46.0

  Microsoft what are you doing????

  Wednesday, April 16, 2014 11:36 AM
• 

  

  0

  Sign in to vote

  Testing with Definition 1.171.64.0 now

  1.171.64.0 - Seems to work fine, just tested on a couple of 2003 and one XP. :^)
  

  
  no problem here either. But want to see it running for 30 minutes before I trust it

  • Proposed as answer by Kristoffer Hansen Wednesday, April 16, 2014 1:09 PM

  Wednesday, April 16, 2014 11:41 AM
• 

  

  0

  Sign in to vote

  
  

  I only found 1.171.53.0 at https://www.microsoft.com/security/portal/definitions/adl.aspx

  Where can I find 1.171.64.0 version?  

  Chaotic..

  
  
  

  Wednesday, April 16, 2014 11:43 AM
• 

  

  0

  Sign in to vote

  
  

  I only found 1.171.53.0 at https://www.microsoft.com/security/portal/definitions/adl.aspx

  Where can I find 1.171.64.0 version?  

  Chaotic..

  ----------------------

  Got mine from Windows update
  
  

  
  

  Wednesday, April 16, 2014 11:54 AM
• 

  

  0

  Sign in to vote

  definition version 1.171.46.0 fixed the issue for me

  
  Where can I find it

  Wednesday, April 16, 2014 12:10 PM
• 

  

  0

  Sign in to vote

  Yeah, same problem. Usually they release the full package a few minutes later than the DELTA ones ... we just have to wait i think.

  We're testing 1.171.64 got from Windows Update, seems good so far...

  Gabriel

  • Proposed as answer by ChiefMC Wednesday, April 16, 2014 1:19 PM

  Wednesday, April 16, 2014 12:10 PM
• 

  

  0

  Sign in to vote

  Has anyone found a direct download for the 1.171.64 Definition? If so could someone throw us out the link? :)
  

  Edit: Nevermind, .64 definitions just showed up in our SCCM server.

  • Edited by Eli Misel Wednesday, April 16, 2014 12:24 PM

  Wednesday, April 16, 2014 12:21 PM
• 

  

  0

  Sign in to vote

  related threads:

  http://social.technet.microsoft.com/Forums/en-US/043515cb-2746-43dc-94e0-441f70fd50b8/system-center-endpoint-protection-error-0x80004005?forum=configmanagergeneral

  http://social.technet.microsoft.com/Forums/en-US/91c672fb-2b0a-4653-815b-3fb1a2dd343b/msmpsvc-terminates-with-definitions-117110-on-server-2003?forum=configmanagersecurity

  ---

  - Meitzi [MCITP]

  Wednesday, April 16, 2014 12:22 PM
• 

  

  0

  Sign in to vote

  Has anyone found a direct download for the 1.171.64 Definition? If so could someone throw us out the link? :)
  

  
  So Far I have only been able to DL it via. Windows Update

  Wednesday, April 16, 2014 12:23 PM
• 

  

  0

  Sign in to vote

  I got it though WSUS and SCCM. Distributed it to my Clients also.

  Try do do a Manual sync of your WSUS.

  Wednesday, April 16, 2014 12:26 PM
• 

  

  0

  Sign in to vote

  So far 1.171.64 have fixed the problem for all the servers in our hosting enviroment

  Wednesday, April 16, 2014 12:34 PM
• 

  

  0

  Sign in to vote

  new 1.171.67

  http://www.microsoft.com/security/portal/shared/prereleasesignatures.aspx

  Microsoft pre-release definition updates

  Latest pre-release definition version: 1.171.67.0

  Microsoft offers partially-tested pre-release definition updates for download before the fully-tested (released) version is available. These updates are listed below.

  You can use these pre-release definitions to clean infected computers. You can also use them to protect computers that are at an immediate risk of infection. The pre-release definition update is not meant for enterprise-wide deployment.

  Pre-release updates are explicitly created for malicious software threats. You should not deploy a pre-release definition update if you are not experiencing a threat for which it was explicitly created.

  Note: After additional testing, certain pre-release definition updates will be released as regular definition updates. The same binary file that was used for the pre-release definition update may be used for the released definition update.

  Wednesday, April 16, 2014 12:45 PM
• 

  

  1

  Sign in to vote

  We are just wrapping up cleanup on our end.
  
  I've opened case with MS Premier Support as well. They have confirmed what was already said here on the forums.
  
  To fix this, as said earlier, synch. latest update in your WSUS/SCCM, if you get updates from Microsoft directly, you can run
  
  "<c:\Program Files\Microsoft Security Client\MpCmdRun.exe>" -SignatureUpdate to force update of definition updates.
  
  If you use ADR in SCCM, just synch. updates with wsus, and manually kick off your ADR to be downloaded and deployed.
  
  On Servers 2003, SCEP service will be most likely stopped, so you will have to enable the service first, then force the update.
  
  As for behavioral monitoring setting, Microsoft rep. has told me that this setting has been fixed in latest release but they still recommend to keep behavioral monitoring off on XPs and 2003 Servers until official statement.
  
  

  
  
  
  

  • Edited by skywalker123 Wednesday, April 16, 2014 2:12 PM

  Wednesday, April 16, 2014 2:09 PM
• 

  

  1

  Sign in to vote

  Sorry to report bad information. 1.171.46.0 did not fix the problem. We ended up turning off Behavior Monitoring and await official word from Microsoft.
  
  Good information - http://msmvps.com/blogs/kenlin/archive/2014/04/16/winxp-and-or-win2003-with-sc-forefront-endpoint-protection-installed-msmpeng-exe-crashes-after-definition-update.aspx

  • Proposed as answer by justinmeryment1 Wednesday, April 16, 2014 11:49 PM

  Wednesday, April 16, 2014 3:14 PM
• 

  

  0

  Sign in to vote

  .64 fixes the problem, not 46.
  
  

  

  • Edited by skywalker123 Wednesday, April 16, 2014 3:24 PM

  Wednesday, April 16, 2014 3:21 PM
• 

  

  0

  Sign in to vote

  We updated our definitions to 1.171.64 and turned off Behavior Monitoring and that immediately fixed any issues that we had in our environment.  We still had a few computers that seem to be running on version 46 and Behavior Monitoring turned on, not sure how or why but they are.  I think as long as the machine has not rebooted recently, which updates were released in our environment this morning, then they are somewhat okay.  Be interesting to see if Microsoft will even comment on this due to XP no longer being "supported." 

  Wednesday, April 16, 2014 6:06 PM
• 

  

  0

  Sign in to vote

  We ended up disabling real-time protection all together as our initial step as this was affecting 165 machines. So now we are going to make sure the latest definition is in place and then re-enable real-time protection without behavior monitoring enabled.

  Will post once we've completed the process.

  ---

  Scott M. Phoenix, AZ

  Wednesday, April 16, 2014 6:07 PM
• 

  

  0

  Sign in to vote

  Hi I have the same problem early morning with a few of the Windows XP machines with installed Fore Front Endpoint Protection, but I didn't checked what were the definitions installed on these systems.

  To prevent hanging of the system I have unchecked(removed) the tick from Enable Behaviour Monitoring from one of the Windows 2008 R2 Servers.

  About Windows 2003 Servers ...
  I have also uninstalled the SCEP from Windows 2003 R2 Server, because I am worry about it when I read these lines above.

  Is it possible to have the same problem with Windows Server 2008 R2 with SCEP 2012 with definition version 1.171.46.0?

  What is the official opinion and decision of Microsoft.
  
  

  • Edited by I. Madzharov Wednesday, April 16, 2014 7:55 PM

  Wednesday, April 16, 2014 7:48 PM
• 

  

  0

  Sign in to vote

  Looks like MS is going to release updates, but haven't officially stated that it's ok to tick the Behavior Monitoring back on yet.

  On our Server 2003 systems, unticking that box worked, didn't need to fully uninstall.  Just a note.

  Wednesday, April 16, 2014 8:03 PM
• 

  

  0

  Sign in to vote

  Unfortunately version 1.171.46.0 not fix the issue. This is only my opinion. This morning I have problems again with XP with FEP definition 1.171.46 and 1.171.106.0.
  The problems is still continue, if you not uncheck the behavior and this not depends of the installed antivirus definitions.
  

  • Edited by I. Madzharov Thursday, April 17, 2014 6:45 AM

  Thursday, April 17, 2014 6:43 AM
• 

  

  1

  Sign in to vote

  Hello,
  I summarise here all information coming from this TechNet Forums post.

  Starting from Signature Version 1.171.64.0 the problem should be solved on Windows XP (and Windows Server 2003) machines.
  You can launch Signature Update manually: %ProgramFiles%\Microsoft Security Client\MpCmdRun.exe -SignatureUpdate.

  Otherwise you can disable "Enable behaviour monitoring" (under SCEP client Settings) following one of points below:

  • Opening System Center Endpoint Protection client => Settings => Real-time protection => uncheck Enable behaviour monitoring
  • Setting Registry Key DisableBehaviorMonitoring (DWORD) to 1 under the path HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection; (command: REG ADD "HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_dword /d 1 /f)
  • If SCEP is used in conjunction with SCCM 2012, then you can change it centrally and push the policy to all of you computers: SCCM console => Assets and Compliance => Endpoint Protection => Antimalware Policies => choose the policy to be modified => right click and then Properties => Real-time protection => set Enable behavior monitoring to No

  Bye,
  Luca

  ---

  Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

  • Proposed as answer by Andrzej Jaracz Thursday, April 17, 2014 9:30 AM
  • Edited by lucafabbri365 Thursday, April 17, 2014 9:58 AM

  Thursday, April 17, 2014 7:35 AM
• 

  

  0

  Sign in to vote

  Next Action from Microsoft:

  We are pending a release of a definition update so BM can be enabled again. We will actively communicate out again as soon as the definition becomes available.

  How to Disable Behavior Monitoring feature:

  1. Configure Policy with SCCM

  2. Configure Policy by GPO

  Distribute the Machine Startup/Shutdown Script in registry by using GPO

  Batch:

  reg add "HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_dword /d 1 /f

  3. Update Registry by entering SafeMode

  You can also set below registry value to disable BM:

  HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection DisableBehaviorMonitoring = 1  (REG_DWORD)

  4. FEP - Applying Policies from the Command Prompt

  http://technet.microsoft.com/en-us/library/gg412477.aspx

  Thursday, April 17, 2014 7:10 PM
• 

  

  0

  Sign in to vote

  Does it appear that the latest updates have fixed the issue with behavior monitoring?

  I didn't find any "official" blog/ news stating such.

  Thanks

  Monday, April 21, 2014 1:04 PM
• 

  

  0

  Sign in to vote

  http://blogs.technet.com/b/enginenotifications/archive/2014/04/17/antimalware-engine-1-1-10502-0-was-released-to-customers-on-17-april-2014.aspx

  • Proposed as answer by Susie LongModerator Wednesday, April 23, 2014 3:12 AM
  • Marked as answer by Susie LongModerator Wednesday, April 23, 2014 3:20 AM

  Monday, April 21, 2014 9:37 PM
• 

  

  0

  Sign in to vote

  http://blogs.technet.com/b/enginenotifications/archive/2014/04/17/antimalware-engine-1-1-10502-0-was-released-to-customers-on-17-april-2014.aspx

  Thanks Alessandro!
  

  Tuesday, April 22, 2014 7:44 PM