WinXP and/or Win2003 with SC Forefront Endpoint Protection installed, MsMpEng.exe crashes after definition update

Symptoms:


If you are running Windows XP and/or Windows Server 2003 with SC Forefront Endpoint Protection installed, MsMpEng.exe crashes after definition update 1.171.1.0. The system also runs slowly and almost hangs.


Impacted OS:


Windows XP, Windows Server 2003


Workaround:


Disable Behavior Monitoring feature, either in the policy or via the SCEP UI.



 


Next Action from Microsoft:


We are pending a release of a definition update so BM can be enabled again. We will actively communicate out again as soon as the definition becomes available.


How to Disable Behavior Monitoring feature:


1. Configure Policy with SCCM


2. Configure Policy by GPO


Distribute the Machine Startup/Shutdown Script in registry by using GPO


Batch:


reg add “HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection” /v “DisableBehaviorMonitoring” /t reg_dword /d 1 /f


3. Update Registry by entering SafeMode


You can also set below registry value to disable BM:


HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
Disa
bleBehaviorMonitoring = 1  (REG_DWORD)


4. FEP – Applying Policies from the Command Prompt


http://technet.microsoft.com/en-us/library/gg412477.aspx

17 thoughts on “WinXP and/or Win2003 with SC Forefront Endpoint Protection installed, MsMpEng.exe crashes after definition update”

  1. Is possible to have the same problem with MS Windows 7 Enterprise or Windows 2008 R2 Server?
    This morning I have many problems with almost all Windows XP Pro clients OS with installed Fore Front Endpoint Protection. The machines work slowly and logging process is too slowly and hangs.

  2. We made the change in our SCCM policy and it seems to fix the errors. However, doesn’t that leave part of the security of SCEP vulnerable?

  3. How will you communicate the availability of the fixed definitions? Via this blog, or some other method?

    Also, are other later currently-released definition versions also affected? (like, 1.171.64.0)

    Thanks!

  4. Thanks for the info. This is some serious BS. I deleted the folder and registry settings and then uninstalled the program, cleaned the registry and rebooted. Easy peezy. Home user, BTW.

  5. Hi, do you know if there is any update coming soon from microsoft ?
    This seems to spread to hundred of PC in our environment?
    as a security concern, we do not want to disable behaviour monitoring.

    Thanks.

  6. Btw, you left out the POLICIES part of the reg key. Should be:

    reg add “HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection” /v “DisableBehaviorMonitoring” /t reg_dword /d 1 /f

    -=Lon=-

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>