none
SCEP Crashing PC's RRS feed

  • Question

  • Hi,

    Our Windows 8 machines seem to have the following errors today, is there a dodgy definition update??: 

    Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.

    Feature: On Access

    Error Code: 0x80070006

    Error description: The handle is invalid.

    Reason: The filter driver was unloaded unexpectedly.

    Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.

    Feature: Network Inspection System

    Error Code: 0x80070002

    Error description: The system cannot find the file specified.

    Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.

    Faulting application name: MsMpEng.exe, version: 4.7.214.0, time stamp: 0x556e9f09

    Faulting module name: mpengine.dll, version: 1.1.15700.9, time stamp: 0x5c6dce74

    Exception code: 0xc0000005

    Fault offset: 0x0000000000391480

    Faulting process id: 0x12a4

    Faulting application start time: 0x01d4de3e8a2e08b8

    Faulting application path: c:\Program Files\Microsoft Security Client\MsMpEng.exe

    Faulting module path: c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{07A93C4E-66B7-4C7A-AC0F-C4C97E48B705}\mpengine.dll

    Report Id: 3be5a84f-4a34-11e9-8297-002618fdec3e

    Faulting package full name:

    Faulting package-relative application ID:

    Tuesday, March 19, 2019 11:10 AM

Answers

  • New definition is out finally:

    1.289.1587.0

    • Marked as answer by John555444 Wednesday, March 20, 2019 2:09 PM
    Tuesday, March 19, 2019 7:16 PM
  • I'm sure they are spending all of their time calling everyone with their Sev A tickets opened.  But I just received my call and yes the issue is global and is fixed in this newest definition. 
    While I was waiting I sent an update defender policy to turn off all scans.  I'll wait a day until everyone gets this new definition before I turn it back on.

    Did anyone have this issue on Win10 machines?  I was only seeing it on Win7 machines.

    Thanks.

    Jay


    JayMurfe

    • Marked as answer by John555444 Wednesday, March 20, 2019 2:09 PM
    Tuesday, March 19, 2019 7:10 PM

All replies

  • Its crashing on Windows 7 PC's too :(
    Tuesday, March 19, 2019 11:33 AM
  • Error:

    Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.

    Feature: Network Inspection System

    Error Code: 0x80070002

    Error description: The system cannot find the file specified.

    Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.

    Tuesday, March 19, 2019 11:35 AM
  • can you try to update the Client with the 

    mpcmdrun directly 

    Folder should like C:\program files\windows defender

    MpCmdRun.exe /SignatureUpdateAndQuickScan


    Klaus

    Tuesday, March 19, 2019 11:44 AM
  • Same shit here, Windows 7 Clients

    Faulting application name: MsMpEng.exe, version: 4.10.209.0, time stamp: 0x582a94a1
    Faulting module name: mpengine.dll, version: 1.1.15700.9, time stamp: 0x5c6dce74
    Exception code: 0xc0000005
    Fault offset: 0x0000000000391480
    Faulting process id: 0x3b4
    Faulting application start time: 0x01d4a16b4f4859e1
    Faulting application path: C:\Program Files\Microsoft Security Client\MsMpEng.exe
    Faulting module path: C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D967D2A2-4074-4453-B8FC-E5226D63E7AB}\mpengine.dll
    Report Id: 3c29ff8b-4a35-11e9-a814-0050569f5188

    Tuesday, March 19, 2019 11:54 AM
  • Well that is a relief to be honest that it is not just us!

    I am turning real time scanning off temporarily and keep checking WSUS for updates.

    Our troubles only started today, is that the same with you?

    Tuesday, March 19, 2019 12:02 PM
  • Also crashing Windows 2012 R2.

    Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.
      Feature: On Access
      Error Code: 0x80070006
      Error description: The handle is invalid.
      Reason: The filter driver was unloaded unexpectedly.

    Tuesday, March 19, 2019 12:05 PM
  • Yep just happened here as well.
    Tuesday, March 19, 2019 12:05 PM
  • Same here

    Win 7 x64 (SCCM CB)

    Tuesday, March 19, 2019 12:06 PM
  • Same on our network. Windows 7 Pro, 64Bit

    MsMpEng.exe 0xc0000005 mpengine.dll

    Tuesday, March 19, 2019 12:07 PM
  • Same shit for me, Windows 7 reported so far. I tried removing and reinstalling definitions with

    "C:\Program Files\Microsoft Security Client\MpCmdRun.exe" -removedefinitions -all
    "C:\Program Files\Microsoft Security Client\MpCmdRun.exe" -signatureupdate -mmpc
    without luck.
    Tuesday, March 19, 2019 12:21 PM
  • Am really crossing my fingers that the next definition update will fix it. Would log a call with Microsoft if it didn't cost loads of money... anyone have a support plan with them? Would like to know if they recognise this as an issue, and the fix they will be providing..

    I don't want to particularly rush around hundreds of pc's removing scep and installing something else!!!

    Tuesday, March 19, 2019 12:38 PM
  • I have the same issue on Windows Server 2012 and 2012 R2. I have tried almost everything. Started early this morning 
    Tuesday, March 19, 2019 12:40 PM
  • WS 2008 R2 same problem
    Tuesday, March 19, 2019 12:55 PM
  • Anyone got the problem on Windows 10 out of interest? I haven't had any reports on our Windows 10 pcs but I know they run on a different engine..
    Tuesday, March 19, 2019 12:59 PM
  • Same here. Windows 7 has problem with latest definition 1.289.1521.0

    This can mitigate problems. MpCmdRun.exe -RemoveDefinitions

    Tuesday, March 19, 2019 1:01 PM
  • I can confirm the exact same thing for me. When Quickscan completes it crashes the service. I tried deleting the definitions and redownloading. No dice. Like someone else said, turning off the quick scan should do it... but that's not the best advice. Haven't seen anything from MSFT about it yet. 
    Tuesday, March 19, 2019 1:08 PM
  • Looks like there was an engine update with the definitions from last night (1.289.1521.0). Rename the folder that contains mpengine.dll from "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates" and then start the service.
    • Edited by A.Doolin Tuesday, March 19, 2019 1:10 PM
    • Proposed as answer by A.Doolin Tuesday, March 19, 2019 1:38 PM
    Tuesday, March 19, 2019 1:09 PM
  • So you have managed to remove the latest definitions and go back to the previous?

    Have you spoken with Microsoft, do you know if it will be fixed in the next definitions?

    Tuesday, March 19, 2019 1:09 PM
  • just start the update and quickscan 
    Result = 

    W2k16 without Problems 

    W2k12R2 without problems

    Win 10 without problems

    win 7 without Problems 


    Klaus


    Tuesday, March 19, 2019 1:14 PM
  • How is this helpful? I'm not getting the problem on all Windows 7 and 8.1 machines, but it obvious from all the comments above that I am not the only person having this issue...
    Tuesday, March 19, 2019 1:19 PM
  • just to Show you this is not Overall a Problem

    more or less for your Information. If you not like it - you can ignore this Information. 


    Klaus

    Tuesday, March 19, 2019 1:21 PM
  • Ok I know its not happening on every machine, but it is on some and its not a one off issue as many are having problems with this update, hopefully MS will have a fix in the next definition update anyway... A bit depressing at the moment though.
    Tuesday, March 19, 2019 1:22 PM
  • The phrase "not overall a problem" is relative. One of my clients is experiencing this problem on all of their Windows 7 machines. To them, "overall" that is a problem.

    There's clearly something wrong with the latest definitions. 

    Tuesday, March 19, 2019 1:28 PM
  • more people with the same issue:

    https://www.askwoody.com/2019/windows-defender-security-definition-problems/

    https://answers.microsoft.com/en-us/protect/forum/all/microsoft-security-essentials-log-indicates-it/38f0cc95-d40d-4030-a1fc-36679010fcf9

    Tuesday, March 19, 2019 1:33 PM
  • Just to throw my hat in the ring, getting the same issues here with the latest definitions and it's only affecting the Windows 7 Clients. Specifically getting the error regarding the filter driver crashing. The error description is "The Handle is Invalid"

    Tuesday, March 19, 2019 1:33 PM
  • We also have this problem on multiple systems. It occurs after a quickscan is run. And after a EICAR file is placed.
    Tuesday, March 19, 2019 1:35 PM
  • Likewise, same here. Windows 7, Svr 2008 / 2012 included. Managed to get some devices rolled back so they are now on a slightly older AV Def version, not ideal, but SCEP is green and running.  Keeping eyes peeled for the main underlying cause and a fix...soon hopefully!
    Tuesday, March 19, 2019 1:37 PM
  • same problem here... SCEP on many WS 2012 R2 crash
    Tuesday, March 19, 2019 1:59 PM
  • We've filed a support case with Microsoft and they confirmed this was a global issue and is being worked on, did not get an ETA.
    Tuesday, March 19, 2019 2:13 PM
  • Did they give you a case/ticket number?
    They must have a master ticket open...and I'd rather get it here than trying to get MS Support on the line right now.  :P
    Tuesday, March 19, 2019 2:17 PM
  • Thank you. If you could keep us updated that would be fantastic.. I hope its just a new definition update needed rather than having to install a hotfix on everything etc.
    Tuesday, March 19, 2019 2:25 PM
  • Same problem here Win 2008 r2
    Tuesday, March 19, 2019 2:36 PM
  • Can confirm on most of our Windows 7 32Bit PCs and on our Windows Server 2003.

    The Porblem occours right at the End of a Scan / automated Scan.

    Tuesday, March 19, 2019 2:48 PM
  • W7 64 bit - Running SCEP in Education

    Rollback -> "c:\program files\Microsoft Security Client\mpcmdrun" -RemoveDefinitions

    Disable updates so new one isn't pulled again.


    • Edited by falctrader Tuesday, March 19, 2019 2:51 PM
    Tuesday, March 19, 2019 2:48 PM
  • Just take mpasdlta.vdm and mpavdlta.vdm from c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup and replace near into {random ID} folder with today's modified folder, also disable MSE schedule until MS make new virus definition update. 
    Tuesday, March 19, 2019 2:57 PM
  • We are seeing this, as well.  Windows 7 machines, event log:


    Faulting application name: MsMpEng.exe, version: 4.10.209.0, time stamp: 0x582a94a1
    Faulting module name: mpengine.dll, version: 1.1.15700.9, time stamp: 0x5c6dce74
    Exception code: 0xc0000005
    Fault offset: 0x0000000000391480
    Faulting process id: 0x338
    Faulting application start time: 0x01d4d952640a5472
    Faulting application path: c:\Program Files\Microsoft Security Client\MsMpEng.exe
    Faulting module path: c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7AD16108-49E7-46E1-9139-DFF8BF72BE7B}\mpengine.dll
    Report Id: 3d7cef13-4a04-11e9-9ecc-00155debdb04

    a restart stops the prompt, but once a quick scan runs, the prompt reappears

    Tuesday, March 19, 2019 3:04 PM
  • We have exactly the same issue here. Hope MS will fix it soon with a new update.

    Tuesday, March 19, 2019 3:23 PM
  • Have just sync'd WSUS, seems they have expired the update, but not offered a new one.
    Tuesday, March 19, 2019 3:28 PM
  • Just received an update on the global issue ticket:

    "According to the Microsoft engineering teams, the issue will be fixed in the next version (1.289.1573.0.) which is expected to be available in a couple of hours."

    Received 11:34AM Eastern time

    Tuesday, March 19, 2019 3:38 PM
  • Fantastic, hopefully tomorrow will be pain free!
    Tuesday, March 19, 2019 3:40 PM
  • Looks like there was an engine update with the definitions from last night (1.289.1521.0). Rename the folder that contains mpengine.dll from "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates" and then start the service.

    I had a similar issue that is being reported here on multiple Server 2012 R2 servers. Below is the resolution that we have found and it appears to be working so far.

    • Navigate to C:\ProgramData\Microsoft\Microsoft Antimalware\
    • Rename “Definitions Update” folder, I renamed to “Definitions Update.old” on our server
    • Restart the Microsoft Antimalware Service (MsMpSvc) on the server.
    • Selected “Update Definitions” after about 10 minutes of the server being operational to verify this was functional.

    So far this seems to have resolved the issue on our server, I am currently monitoring to verify this continues working. 

    Below is a PowerShell that can accomplish this step easily:

    • Rename-Item "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates" "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates.old"
    • net start MsMpSvc

    Optionally, we could just delete the folder rather than rename it to keep the folder clean:

    • Remove-Item –path "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates" –recurse
    • net start MsMpSvc

    I have verified the above has resolved this issue on 3 separate servers. They are all on definition version1.289.1512.0. I will continue to monitor our servers and update this thread if they break again.

    Special thanks to A.Doolin in this thread, as his suggestion helped resolve this issue for our company.


    • Proposed as answer by B. Garrett Tuesday, March 19, 2019 3:44 PM
    • Unproposed as answer by John555444 Tuesday, March 19, 2019 3:57 PM
    • Proposed as answer by MaartenExe Tuesday, March 19, 2019 4:04 PM
    Tuesday, March 19, 2019 3:43 PM
  • I am skeptical the definitions will update if the service is broken. First time ever with this issue, so it will be interesting to see what happens
    Tuesday, March 19, 2019 3:44 PM
  • Looks like there was an engine update with the definitions from last night (1.289.1521.0). Rename the folder that contains mpengine.dll from "C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates" and then start the service.

    We have many instances where SCEP will not run even if a scan is not initiated. In this case, just rolling back the definitions aren't working because the service will not run for longer than a minute or two. I threw together a powershell script to fix the problem and roll back the problematic definitions. If you are using SCCM make sure to disable the deployment of the 1.289.1521.0 definitions and redeploy 1.289.1507.0 or earlier.

    **Please review and run at your own risk. It works for my environment**

    #Script assumes the MsMPSvc is broken and in a stopped state

    If ((get-service -Name MsMpSvc).status -ne "Running") {
        $filelist = Get-ChildItem -Path "$env:ProgramData\Microsoft\Microsoft Antimalware\Definition Updates" -Recurse | Where-Object {($_.Name -eq "mpengine.dll")} | select -ExpandProperty VersionInfo
        $MSMPSVCpath = ((Get-WmiObject -Namespace root\cimv2 -Class Win32_Service -Filter "name = 'MSMPSVC'" | Select -ExpandProperty PathName) -replace 'MsMpEng.exe', "") -replace '"',''
        $MpCmdRun = $MSMPSVCpath + "MpCmdRun.exe"
        $removeditems = 0

        ForEach ($obj in $filelist) {
            If ($obj.ProductVersion -eq '1.1.15700.9') {write-host $obj.FileName
            $parentfolder = ($obj.FileName) -replace "mpengine.dll", ""
            Get-Childitem -path $parentfolder -recurse | remove-item -force -Confirm:$false
            remove-item -path $parentfolder -Recurse -force -Confirm:$false
            $removeditems++
            }
        }

        If ($removeditems -gt 0) {

            #remove SCCM cache
            $resman = new-object -com "UIResource.UIResourceMgr"
            $cacheInfo = $resman.GetCacheInfo()
            $cacheinfo.GetCacheElements()  | foreach {$cacheInfo.DeleteCacheElement($_.CacheElementID)}

            Start-Service -Name MsMpSvc
            Start-Sleep -Seconds 10
            Start-Process $MpCmdRun -ArgumentList "–RemoveDefinitions All" -PassThru -Wait
            Start-Sleep -Seconds 10
            Start-Process $MpCmdRun -ArgumentList "–SignatureUpdate" -PassThru
        }
    }




    • Edited by A.Doolin Tuesday, March 19, 2019 5:31 PM
    • Proposed as answer by Kurt B. Mayer Monday, March 25, 2019 3:46 PM
    Tuesday, March 19, 2019 3:56 PM
  • Not really the answer... its a work around..
    Tuesday, March 19, 2019 3:58 PM
  • I am skeptical the definitions will update if the service is broken. First time ever with this issue, so it will be interesting to see what happens

    Mmm will see but I don't think it has a problem updating does it... Just scanning??
    Tuesday, March 19, 2019 3:59 PM
  • Having the same issue here in a enterprise environment, bunch of Windows 2012 R2 machines are reporting that their MsMpSvc service has crashed.

    I have used the suggested fix above to rename Definition Updates, start service back up and pull latest.

    So far the issue has not re-occurred but only time will tell if that is a permanent fix as I am not sure what triggers the crash to begin with.

    Tuesday, March 19, 2019 3:59 PM
  • Thank you A.Doolin!! We are using SCCM in our environment so this will likely help if it spreads to our other clients. We plan to test this script in our environment as well. I appreciate all of your help on this issue, it really helped us get ahead of the problem!
    Tuesday, March 19, 2019 4:02 PM
  • We are also experiencing the same issue on some of our Windows 7 clients.

    It seems to get triggered with a scheduled scan or malware detection. 

     
    Tuesday, March 19, 2019 4:04 PM
  • Hopefully they will push out a new engine update to resolve this sooner than later. Anyone with a case open with MS have any updates on this issue?
    Tuesday, March 19, 2019 4:07 PM
  • Did they say will the update apply without further intervention if the service is stopped /crashed?
    Tuesday, March 19, 2019 4:17 PM
  • I've currently got a case open with them (it's been 6-7 hours) but still no more information from them than whats here.

    Currently no ETA on a fix.

    Presuming they've lumped our case in with a master ticket.

    Tuesday, March 19, 2019 6:06 PM
  • Yea same here. I opened a ticket this morning and still have not heard back.
    Tuesday, March 19, 2019 6:10 PM
  • I just heard this back from our TAM.

    The issue you’re describing seems to be related to a global issue brought by the definition version 1.289.1521.0, when only running a Quick or Full scan. Resolution The issue should be fixed in 1.289.1573.0. This version should be available in a couple of hours.

    Best of luck.


    Tuesday, March 19, 2019 6:29 PM
  • I have a ticket open with them and a call into our TAM but waiting patiently at the moment. 
    Tuesday, March 19, 2019 6:59 PM
  • I'm sure they are spending all of their time calling everyone with their Sev A tickets opened.  But I just received my call and yes the issue is global and is fixed in this newest definition. 
    While I was waiting I sent an update defender policy to turn off all scans.  I'll wait a day until everyone gets this new definition before I turn it back on.

    Did anyone have this issue on Win10 machines?  I was only seeing it on Win7 machines.

    Thanks.

    Jay


    JayMurfe

    • Marked as answer by John555444 Wednesday, March 20, 2019 2:09 PM
    Tuesday, March 19, 2019 7:10 PM
  • Same here
    Tuesday, March 19, 2019 7:15 PM
  • New definition is out finally:

    1.289.1587.0

    • Marked as answer by John555444 Wednesday, March 20, 2019 2:09 PM
    Tuesday, March 19, 2019 7:16 PM
  • The issue would only affect older O/S as windows 10 uses windows defender, so it was just isolated any o/s outside of server 2016/19 & win 10.
    Tuesday, March 19, 2019 7:17 PM
  • Yes, just downloaded 1.289.1587.0 and so far so good.
    Tuesday, March 19, 2019 7:18 PM
  • Yep that's what im going to do, thanks
    Wednesday, March 20, 2019 12:45 AM
  • Not sure what it's crashing on, but the errors show when the virusscan crashes is \\.\C and \\.\PHYSICALDRIVE0\(MBR). followed by the PID ID of Explorer.exe.

    Wednesday, March 20, 2019 6:30 AM
  • SCCM has new Version

    after Updating Windows 7 is now working


    Klaus

    Wednesday, March 20, 2019 7:51 AM
  • Yours still isn't working on the new definitions?
    Wednesday, March 20, 2019 8:47 AM
  • Thought yours was still working on 7 anyway?
    Wednesday, March 20, 2019 8:47 AM
  • yes - that is true, 

    but I support also a couple of Customer,

    and one of them has the same Problem as you, but after the Update the Problem is gone. 

    cheers

    klaus


    Klaus

    Wednesday, March 20, 2019 8:57 AM
  • Thanks,

    The problem is fixed once the Definitions has been updated on the client. So far looks good.

    Wednesday, March 20, 2019 3:28 PM
  • I logged a separate thread on Monday with the WSUS sync failure. Not been a good couple of days - first the sync error and then the definition update problem. I was running around thinking we had a major virus outbreak and turns out to be duff definitions for that day. All calming down now but wasted a load of my time :)

    Should have just left it all alone and it would have been fine - isn't hindsight a wonderful thing


    Ian Burnell, London (UK)

    Thursday, March 21, 2019 10:22 AM
  • Does anyone know if this has been fixed?   If so can someone post the solution on this thread.
    Tuesday, March 26, 2019 12:19 PM