MsMpSvc terminates on Windows Server 2003 with defininition version 1.171.1.0

Have had various servers this morning with the Microsoft System Center Endpoint Protection Client service msmpsvc.exe terminating frequently. The service control manager restarts it but it dies again fairly quickly.

So far all the servers are running Windows Server 2003 32-bit.

The version of SCEP I have running is 4.5.216.0, although I tried uninstalling and reinstalling, which reverted it back to 4.3.220.0 and that has the same problem.

The virus and spyware definitions were updated from version 1.169.2706.0 to 1.171.1.0 overnight. It seems as though it is the definition change which is causing the problems.

Have posted this to TechNet Forums.

The following event is posted into the System event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
User:  N/A
Description:
The Microsoft Antimalware Service service terminated unexpectedly.  It has done this 3 time(s).

There is nothing posted to the Application event log unless you have some kind of debugger installed, e.g. on some servers with SQL Server 2005 management tools installed I’m seeing:

Event Type: Error
Event Source: VsJITDebugger
Event Category: None
Event ID: 4096
User:  NT AUTHORITY\SYSTEM
Description:
An unhandled win32 exception occurred in MsMpEng.exe [4400]. Just-In-Time
debugging this exception failed with the following error: Debugger could
not be started because no user is logged on.
Check the documentation index for 'Just-in-time debugging, errors' for more
information.
Data:
0000: 02 00 5c 80               ..\€

Workaround

A possible temporary workaround seems to be to uninstall SCEP and revert to the older Forefront Client Security. Have just installed client version 1.5.1996.0 which has given me engine version 1.1.10501.0 and that has so far not died with definition version 1.171.1.0.

Workaround #2

From the TechNet forum thread linked to above: Set the following registry DWORD value to 1:

HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableBehaviorMonitoring

Note that you’ll have to give Administrators full control to the Real-Time Protection key first, unless you change the value via something that runs as the local System account. You should probably change the permissions back to Read for Administrators afterwards.

Also note that the word Behavior is spelt in American, without the “u”!

Or go into the GUI, Settings tab, Real-time protection and untick the box titled Enable behaviour monitoring.

Update

Seems as though this can also affect Windows XP.

Update #2 (updated!)

New definitions have been released, version 1.171.46.0 and higher, but as yet these have not fixed the problem. I initially thought they had as the service ran for nearly an hour without failing, but fail it did. Apparently (see link in first update above) there will be a new engine released later today to resolve the problem.

Update #3

Definitions 1.171.64.0 or higher are apparently the ones to go for and do fix the problem, though I’ve not been able to confirm this personally yet. I’ll know by tomorrow morning.

Update #4

The 2003 server that I left running overnight with behaviour monitoring enabled was (and still is) fine.

This entry was posted in Applications, Windows and tagged , , , , , , , , , , . Bookmark the permalink.

9 Responses to MsMpSvc terminates on Windows Server 2003 with defininition version 1.171.1.0

  1. Seth C says:

    I’m seeing the same exact thing, 15 Windows 2003 servers (Sp1, R2, Standard, Enterprise – doesn’t matter) across multiple sites. None of my Windows 2008 or higher boxes are having an issue. Happened right after the update (Signature Version: 1.171.1.0, Engine Version: 1.1.10501.0). It’s not just you.

  2. Konrad says:

    Happening at my site aswell, starting the service manually does not fix it, the service stoppes again after few minutes.

  3. Eduard H. says:

    Signature 1.171.46.0 should solve the Problem.
    On some of our systems we could solve the issue with the update. One some others unforunately it doesn´t help…

  4. Konrad says:

    Signature 1.171.46.0 is not fixing the issue for me, the service still stops, tried on a 2003 server and a XP machine

  5. Michal_F says:

    Big Thank You

  6. Jason says:

    Signature 1.171.64.0 seems to fix the issue as least on XP; unknown about 2003.

  7. Karl says:

    We have a customer who has been running on the 1.171.64.0 signatures with many XP machines for several hours now and they have not seen a repeat of the problem.

  8. Jay says:

    Well, we have an XP box on which the service fails, a 2003 server on which Windows freezes and another 2003 server on which the registry key suggested above seems to have resolved the issue. We also have 74 other servers which have definitions v1.171.46.0 which are all behaving perfectly well!

    Still, it’s good to know this isn’t a virus.

    Thanks for the article, Robin.

  9. bross@brocade.com says:

    We are having the issue with 4.3.220.0. Sometime around when definition 1.171.1.0 came out the issues started popping up. I’ve been able to update definitions just fine but nothing was working. When we have the engine version at 4.3.220.0 and updated to 4.5.216.0, all the issues stopped and we were back in control of our systems. I’ve been watching my systems to see if they revert back like you mentioned but so far 4.5.216 seems more stable for us.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s