locked
Microsoft Antimalware engine has been terminated due to an unexpected error RRS feed

  • Question

  • Today suddenly Endpoint Protection start to crash constantly with log:

    Log Name:      System
    Source:        Microsoft Antimalware
    Date:          16.04.2020 14:39:33
    Event ID:      5008
    Level:         Error
    Description:
    Microsoft Antimalware engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc0000005
      Resource: file:D:\File..pdf

    There are many events already today.

    And a common property for all: two dots before extension.

    If I try to open such file File..docx that service will stop with log event.

    Another files with two dots in the middle (New..file.pdf) do not cause a crash.

    Client has all latest updates:

    Antimalware Client Version: 4.10.209.0
    Engine Version: 1.1.16900.4
    Antivirus definition: 1.313.1638.0
    Antispyware definition: 1.313.1638.0


    Thursday, April 16, 2020 12:27 PM

Answers

  • Microsoft has fixed the issue with the latest definition updates. I haven't tested this yet but wanted to update this thread with the good news.

    Build version 1.313.1687.0 and above will have the fix. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

    1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender

    2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”

    3. Run "MpCmdRun.exe -SignatureUpdate"

    Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions   

    Dave


    Thursday, April 16, 2020 6:06 PM

All replies

  • We're starting to get reports of this too. Seeing the same versions as you reported including file names with two dots before the extension. Going to be investigating this more in our environment. 
    Thursday, April 16, 2020 1:25 PM
  • I was able to reproduce under these versions and opened a ticket with Microsoft. 

    Antimalware Client Version: 4.10.209.0

    Engine Version: 1.1.16900.4
    Antivirus definition: 1.313.1638.0
    Antispyware definition: 1.313.1638.0

    Dave

    Thursday, April 16, 2020 1:53 PM
  • We're seeing exactly the same errors as well after the definition updates today. Out of approx. 260 servers we're only seeing this alert on about 4 though.
    Thursday, April 16, 2020 2:02 PM
  • Microsoft has fixed the issue with the latest definition updates. I haven't tested this yet but wanted to update this thread with the good news.

    Build version 1.313.1687.0 and above will have the fix. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

    1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender

    2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”

    3. Run "MpCmdRun.exe -SignatureUpdate"

    Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions   

    Dave


    Thursday, April 16, 2020 6:06 PM
  • Thanks for the update, ours are working fine now with the latest defs.
    Friday, April 17, 2020 7:34 AM