Symptoms:
If you are running Windows XP and/or Windows Server 2003 with SC Forefront Endpoint Protection installed, MsMpEng.exe crashes after definition update 1.171.1.0. The system also runs slowly and almost hangs.
Impacted OS:
Windows XP, Windows Server 2003
Workaround:
Disable Behavior Monitoring feature, either in the policy or via the SCEP UI.
Next Action from Microsoft:
We are pending a release of a definition update so BM can be enabled again. We will actively communicate out again as soon as the definition becomes available.
How to Disable Behavior Monitoring feature:
1. Configure Policy with SCCM
2. Configure Policy by GPO
Distribute the Machine Startup/Shutdown Script in registry by using GPO
Batch:
reg add “HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection” /v “DisableBehaviorMonitoring” /t reg_dword /d 1 /f
3. Update Registry by entering SafeMode
You can also set below registry value to disable BM:
HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
DisableBehaviorMonitoring = 1 (REG_DWORD)
4. FEP – Applying Policies from the Command Prompt
Same problem exists in definition 1.171.46.0
“We will actively communicate out again…”
Where do we find the official communication channel for such information?
The new definition (just released) will solve this problem.
v 1.171.64.0 (or higher)
We were bit by this last night/early this morning. Do you have/know of a related MS KB article for the issue?
Thanks a lot !!!!
We had this problem since this morning on hundreds of PC.
You have saved us
I opened a case with Premier and they confirmed the issue. Apparently definition version 1.171.64.0 resolves this but it was indeed recommended to turn off Behavior Monitoring as posted here.
Here is the link they gave me to manually download definitions: http://www.microsoft.com/security/portal/shared/prereleasesignatures.aspx
Thank you so much for the post, it was great to know we weren’t the only ones out there seeing this.
Thanks for this.
Spent a couple of hours trying to figure out what happened last night.
Signature 1.171.64.0 seems to fix the issue.
Is possible to have the same problem with MS Windows 7 Enterprise or Windows 2008 R2 Server?
This morning I have many problems with almost all Windows XP Pro clients OS with installed Fore Front Endpoint Protection. The machines work slowly and logging process is too slowly and hangs.
We made the change in our SCCM policy and it seems to fix the errors. However, doesn’t that leave part of the security of SCEP vulnerable?
How will you communicate the availability of the fixed definitions? Via this blog, or some other method?
Also, are other later currently-released definition versions also affected? (like, 1.171.64.0)
Thanks!
Thanks for the info. This is some serious BS. I deleted the folder and registry settings and then uninstalled the program, cleaned the registry and rebooted. Easy peezy. Home user, BTW.
Hi, do you know if there is any update coming soon from microsoft ?
This seems to spread to hundred of PC in our environment?
as a security concern, we do not want to disable behaviour monitoring.
Thanks.
Thanks! That helped to fix Microsoft Security Essentials under XP.
Looks like a fix is released. Virus definitions 1.171.64.0 or later fix the issue.
http://social.technet.microsoft.com/Forums/en-US/08cdcadc-5d7c-48c5-95d5-6e47291ddef0/scep-2012-432150-with-sigs-117110-causes-xp-to-hang-until-msmpeng-finally-crashes?forum=FCSNext
Btw, you left out the POLICIES part of the reg key. Should be:
reg add “HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection” /v “DisableBehaviorMonitoring” /t reg_dword /d 1 /f
-=Lon=-