[German]On March 19, 2019, Microsoft had a worldwide issue for several hours with its antivirus solutions (Windows Defender, Microsoft Security Essentials, System Center Endpoint Protection). Especially the failure of System Center Endpoint Protection (SCEP) hit enterprise customers hard. The reason: The signature definition 1.289.1521.0 (and 1.289.1512.0) caused MsMpEng.exe to crash. Microsoft has fixed this bug in the meantime.
Advertising
First user reports on a MsMpEng issue
On March 19, 2019 at 8:59 a.m. German blog reader Dekre send me an e-mail reporting issues in real-time protection of Microsoft Security Essentials (MSE). He wrote: The real-time protection would always switch off automatically. A check of the PC with a quick check, for example, is also not possible. Then an error message appears:
Unfortunately I could not react promptly, because I was out of office and a car malfunction (somewhere in the 'pampa' knocked me out for 3 days. But within my German blog, the discussion went on without my interaction.
Worldwide user reports
There has been also error reports in Microsoft Answers forum an in Technet forum. Users reported issues in Windows 7, Windows 8 and Windows 8.1. A user provided details about the crash in the Technet forum:
Faulting application name: MsMpEng.exe, version: 4.10.209.0, time stamp: 0x582a94a1
Faulting module name: mpengine.dll, version: 1.1.15700.9, time stamp: 0x5c6dce74
Exception code: 0xc0000005
Fault offset: 0x0000000000391480
Faulting process id: 0x3b4
Faulting application start time: 0x01d4a16b4f4859e1
Faulting application path: C:\Program Files\Microsoft Security Client\MsMpEng.exe
Faulting module path: C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D967D2A2-4074-4453-B8FC-E5226D63E7AB}\mpengine.dll
Report Id: 3c29ff8b-4a35-11e9-a814-0050569f5188
The MPEngine.dll crashed there under Windows 7. Also a blog reader from Greece sent me a mail yesterday afternoon, reporting, that Windows Defender crashed after installing definition update 1.289.15121.0 (he runs a couple of Windows 8.1 systems). Swizz blog reader Marco R. wrote me the same time:
Advertising
On all my PCs & servers with SCEP I currently notice the problem that they crash with the engine 1.289.1521.0 while scanning. There are reports [TechDowns, reddit.com] confirming this issue.
This issue affected System Center Endpoint Protection (SCEP) in a corporate environment, Marco R. was responsible for. Bleeping Computer reported here error code 0x800106ba occurs on computers running Windows 7, Windows 8.1, and Windows Server 2003, 2008 and 2012.
Broken signature file causes the issue
German blog reader Michael reported and correctly stated that the signature file with version 1.289.1521.0 caused the problem. On the WSUS the definition file for version 1.289.1521.0 were withdrawn on 03/19/2019 at 16:40 o'clock, as Michael informs here.
Woody Leonhard picked it up here, Defender has a definition file issue (which affects all Microsoft anti-virus solutions) – thanks to Julia for the link – and my thanks to the other blog readers who have discussed the topic in the comments.
The problem is fixed.
Blog reader Marco R. informed me by mail later in the evening, March 19, 2019, that the System Center Endpoint Protection (SCEP) with the SCEP signature 1.289.1587.0 was working again.
I then assumed that the scan engines of Windows Defender and Microsoft Security Essentials (MSE) also got the update. A short text under Windows 7 with the MSE showed me that the signature file 1.289.1599.0 is installed and the antimalware protection engine can scan without errors. The bug should therefore be fixed for all Defender, MSE and SCEP systems after updating to the new virus definition.
Microsoft's antivirus solution was dead for hours
However, the bottom line is that Microsoft's antivirus solution was dead for several hours. I got an information from the editorial staff of German site heise.de. A reader responsible for a state computer center service provider reported that many customers had problems with System Center Endpoint Protection (SCEP) for hours. A ticket opened at Microsoft in the afternoon of 03/19/2019 was categorized there with the highest possible rating 'Severtity A'. All Microsoft's antivirus solutions were 'blind' for hours – not good. A Microsoft spokesperson told Bleeping Computer: We've resolved this issue, which appears to have been limited to Windows 7 and Windows Server 2008. Seems a good joke so far.
Advertising
Same problem on Windows Server 2012 R2 – not good. ;)
same here today on server 2012 R2
Thx, got that comment a couple of hours ago from a German user. Will write an article about that.
SCEP/MSE/Defender: Broken Signatureupdate kills Microsoft Antivirus (04/16/2020)
Same for me today on a German Windows 7 Pro x64 machine.