Anti-Tampering for the Antimalware Service in System Center Endpoint Protection 2012 SP1
Summary: This article was contributed by Amber Goins, a Senior Microsoft Premier Field Engineer. System Center Endpoint Protection (SCEP) SP1 introduced important and often-requested new Anti-Tampering features for the Antimalware service, and Amber takes us through a practical tour of how to troubleshoot this environment. Enjoy!
System Center Endpoint Protection (SCEP) administrators may have noticed that after installing System Center Configuration Manager 2012 SP1 the Microsoft Antimalware Service has now been hardened to prevent tampering. This has been a feature request by many of our customers in order to prevent tampering with the Antimalware service.
In the screenshot below you are able to see the service is running, but while logged on as an Administrator on the local machine we are not able to do anything actionable with the service such as Stop, Start, Pause, or Disable it.
Now that we have this hardened service in SP1, the next questions administrators ask themselves is what should they do if they’re in a troubleshooting situation and suspect that performance degradation is due to Microsoft Endpoint Protection.
Process Status can be viewed in Task Manager:
Additional steps that can be taken to troubleshoot performance issues with the SP1 Endpoint Client:
- Verify Proper Exclusions are set by Product. Windows exclusion lists can be found here: Windows Anti-Virus Exclusion List
- Verify the process is excluded in Real Time Protection.
- For VDI, verify a Full Scan has been run on the Master Host Image, and that persistent cache has been populated.
- You can check the value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\SFCState – if it’s 7 then it’s complete, on initial install it will be 0
- To force the persistent cache to generate, run (from an elevated CMD):
- Cd C:\Program Files\Microsoft Security Client
- MpCmdRun.exe -buildSFC)
Test Disabling the following Endpoint Protection Components “one at a time” to see if the issue can be isolated to a specific component:
- Disable Network Inspection System (NIS)
- Disable Behavior Monitoring
- Disable Real Time Protection
If it’s none of those, try to uninstall and test again.
Tools to assist during Troubleshooting:
- Use Taskman (listed Above)
- Use Event Viewer
- Use Process Explorer
- Use Process Monitor
Recommended updates that may assist if performance is impacted:
NIS: The following update was released towards the end of last year (2012) as a Critical (non-security) Update via Windows Update. The update basically addresses an issue with the Windows Filtering Platform that would cause the NIS feature of SCEP and FEP to drastically (up to 45 times, depending on the scenario) slow down network performance when actively protecting machines. In the case of SCEP/FEP this means the machine is missing a security update that NIS has definitions for turned on. For details on the update, check out the associated Knowledge Base article.
WMI: Hotfix to be aware of: 2790831 – Handle leak in WMI on WS2012 and Win8. This hotfix addresses an issue found in Windows Server 2012 (and Win8) that can be exposed when performance data is queried via WMI. Products that regularly query WMI for performance data are SCOM, SCVMM, and SCDPM. Since ConfigMgr also depends on WMI so heavily, you might consider this for Win8 clients if you detect the handle leak issue.
If the issue is resolved only by an Uninstall please contact Microsoft Support Services to reproduce the issue.
Note: A special thanks to Jeramy Skidmore and Diana Smith, Microsoft CSS Support Escalation Engineers, for your continuous collaboration on this topic!
Written by Amber Goins. Posted by Frank Battiston, MSPFE Editor
Comments
Anonymous
January 01, 2003
Andrew, check out this forum thread: social.technet.microsoft.com/.../f4347d13-5c9a-4395-b070-9aa53d613f68Anonymous
February 21, 2013
This is an awesome article!!!Anonymous
February 22, 2013
The comment has been removedAnonymous
April 25, 2013
This is very good until you have a requirement to actually stop the Microsoft Antimalware Service due to an upgrade requirement, only to find it cannot be done. Is there an override?Anonymous
April 24, 2015
Performance problem troubleshooting is not the only reason for temporarily stopping the endpoint client.
Most of the software installation problem solving steps include stopping antivirus clients (the Lync 2013 client installation do so).
None of the Local System Account impersonation techniques works on Windows 8.1; psexec, scheduled tasks, etc.
So, what I'm suppose to do?