Summary: This article was contributed by Amber Goins, a Senior Microsoft Premier Field Engineer. System Center Endpoint Protection (SCEP) SP1 introduced important and often-requested new Anti-Tampering features for the Antimalware service, and Amber takes us through a practical tour of how to troubleshoot this environment. Enjoy!
System Center Endpoint Protection (SCEP) administrators may have noticed that after installing System Center Configuration Manager 2012 SP1 the Microsoft Antimalware Service has now been hardened to prevent tampering. This has been a feature request by many of our customers in order to prevent tampering with the Antimalware service.
In the screenshot below you are able to see the service is running, but while logged on as an Administrator on the local machine we are not able to do anything actionable with the service such as Stop, Start, Pause, or Disable it.
Now that we have this hardened service in SP1, the next questions administrators ask themselves is what should they do if they’re in a troubleshooting situation and suspect that performance degradation is due to Microsoft Endpoint Protection.
Process Status can be viewed in Task Manager:
If it’s none of those, try to uninstall and test again.
NIS: The following update was released towards the end of last year (2012) as a Critical (non-security) Update via Windows Update. The update basically addresses an issue with the Windows Filtering Platform that would cause the NIS feature of SCEP and FEP to drastically (up to 45 times, depending on the scenario) slow down network performance when actively protecting machines. In the case of SCEP/FEP this means the machine is missing a security update that NIS has definitions for turned on. For details on the update, check out the associated Knowledge Base article.
WMI: Hotfix to be aware of: 2790831 – Handle leak in WMI on WS2012 and Win8. This hotfix addresses an issue found in Windows Server 2012 (and Win8) that can be exposed when performance data is queried via WMI. Products that regularly query WMI for performance data are SCOM, SCVMM, and SCDPM. Since ConfigMgr also depends on WMI so heavily, you might consider this for Win8 clients if you detect the handle leak issue.
If the issue is resolved only by an Uninstall please contact Microsoft Support Services to reproduce the issue.
Note: A special thanks to Jeramy Skidmore and Diana Smith, Microsoft CSS Support Escalation Engineers, for your continuous collaboration on this topic!
Written by Amber Goins. Posted by Frank Battiston, MSPFE Editor
This is an awesome article!!!
I googled SCEP and Malware and this was the top article. Granted, there were only 3 articles for SCEP listed.
This is freaking fantastic! I am glad that we are finally seeing some information coming from you Microsofties! Thank you Mrs. Goins and team! Please keep publishing this detailed information!
This is very good until you have a requirement to actually stop the Microsoft Antimalware Service due to an upgrade requirement, only to find it cannot be done. Is there an override?
Andrew, check out this forum thread: social.technet.microsoft.com/.../f4347d13-5c9a-4395-b070-9aa53d613f68
Performance problem troubleshooting is not the only reason for temporarily stopping the endpoint client.
Most of the software installation problem solving steps include stopping antivirus clients (the Lync 2013 client installation do so).
None of the Local System Account impersonation techniques works on Windows 8.1; psexec, scheduled tasks, etc.
So, what I'm suppose to do?