Have had various servers this morning with the Microsoft System Center Endpoint Protection Client service msmpsvc.exe terminating frequently. The service control manager restarts it but it dies again fairly quickly.
So far all the servers are running Windows Server 2003 32-bit.
The version of SCEP I have running is 22.214.171.124, although I tried uninstalling and reinstalling, which reverted it back to 126.96.36.199 and that has the same problem.
The virus and spyware definitions were updated from version 1.169.2706.0 to 188.8.131.52 overnight. It seems as though it is the definition change which is causing the problems.
Have posted this to TechNet Forums.
The following event is posted into the System event log:
Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7034 User: N/A Description: The Microsoft Antimalware Service service terminated unexpectedly. It has done this 3 time(s).
There is nothing posted to the Application event log unless you have some kind of debugger installed, e.g. on some servers with SQL Server 2005 management tools installed I’m seeing:
Event Type: Error Event Source: VsJITDebugger Event Category: None Event ID: 4096 User: NT AUTHORITY\SYSTEM Description: An unhandled win32 exception occurred in MsMpEng.exe . Just-In-Time debugging this exception failed with the following error: Debugger could not be started because no user is logged on. Check the documentation index for 'Just-in-time debugging, errors' for more information. Data: 0000: 02 00 5c 80 ..\
A possible temporary workaround seems to be to uninstall SCEP and revert to the older Forefront Client Security. Have just installed client version 1.5.1996.0 which has given me engine version 1.1.10501.0 and that has so far not died with definition version 184.108.40.206.
From the TechNet forum thread linked to above: Set the following registry DWORD value to 1:
HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableBehaviorMonitoring
Note that you’ll have to give Administrators full control to the Real-Time Protection key first, unless you change the value via something that runs as the local System account. You should probably change the permissions back to Read for Administrators afterwards.
Also note that the word Behavior is spelt in American, without the “u”!
Or go into the GUI, Settings tab, Real-time protection and untick the box titled Enable behaviour monitoring.
Seems as though this can also affect Windows XP.
Update #2 (updated!)
New definitions have been released, version 220.127.116.11 and higher, but as yet these have not fixed the problem. I initially thought they had as the service ran for nearly an hour without failing, but fail it did. Apparently (see link in first update above) there will be a new engine released later today to resolve the problem.
Definitions 18.104.22.168 or higher are apparently the ones to go for and do fix the problem, though I’ve not been able to confirm this personally yet. I’ll know by tomorrow morning.
The 2003 server that I left running overnight with behaviour monitoring enabled was (and still is) fine.