[German]Brief information for administrators of Windows systems, especially Windows Server. I have received information that the signature files for Microsoft Defender that have been delivered recently are causing problems. On some Windows Server systems, RAM usage may become unmanageable, affecting operation. Addendum: The issue seems to be known to Microsoft, they are supposedly working on it – see my attached information.
German blog reader Markus K. alerted me to this issue via email this morning and wrote me the following:
Just a brief information, but perhaps interesting.
Our monitoring tool noticed that the RAM on some servers was fully utilized.
The reason was the process msmpeng.exe, which needed e.g. on WSUS 2,6GB RAM.
After Update-MPSignature it was just ~400MB.
Would be interesting to know at this point if any of you noticed something similar? The Microsoft Defender or the scan engine is a problem bear anyway – here with my clients I notice (with MSE) that there also the CPU is completely used up from time to time. If then the trusted installer also starts and runs amok, then nothing works. Markus K., who continuously monitors the machines in his environment, wrote me the following:
Some time ago, Defender already attracted attention when it was no longer possible to view the event log on clients. The problem disappeared after the signature update.
He draws a not-so-great conclusion from various cases regarding Microsoft's antivirus solutions and their signature updates and writes about it:
That is, if you don't happen to get a broken version, you might not notice anything at all. Perhaps Defender was also to blame for countless black screens that appeared after logging in and then disappeared again after a reboot.
In any case, Defender stood out in our problem analyses and became very conspicuous. If this doesn't get significantly better again, I guess we'll have to look around for an alternative again
Points something in the direction of what I occasionally also observe or occasionally get to hear. On Microsoft Answers there is this forum post from December 2021 where users complain something similar for the Windows client. After publishing the German edition of this article, several administrators has confirmed the observation outlines above. What are your experiences with Defender?
Addendum: As commented below, on reddit.com is also a discussion and I got now several feedback from affected people. I've notified Microsoft Helps about this issue via Twitter (with a link to this article). A reader has notified me about a feedback given from (probably) a MS employee on April 14, 2022 :
that is a current known issue and our PG team are actively working on a fix. We apogolise for any inconvenience caused.
Starten on April 13th, Microsoft Defender Antivirus customers may have experienced high memory utilization from the Antimalware Service Executable, MsMpEng.exe using signatur builds starting from 1.363.177.0.
Microsoft Defender is activly working aon a signature fix to mitigate the issue.
The issue seems to be known to Microsoft, they are supposedly working on it. Fun fact: My original German blog post about the issue is from April 12, 2022, and Markus K. has already noticed the problem a day before. If the product group (PG) are now working on a signature update and state April 13, they are trying to fix an issue that has been around for a while. Let's hope there's a fix soon for those affected.
Cookies helps to fund this blog: Cookie settings
More and more people are complaining about the same problem but we don't see any official issue/announcement coming from Microsoft: https://www.reddit.com/r/sysadmin/comments/u1z2vg/windows_defender_anti_virus_service_process/?sort=old
We also have the same in our infrastructure impacting Windows Servers 2016/2019/2022
Thx, I've left a link at reddit to my article and also informed MS via Twitter. Hope that helps.
Tic tac tic tac. Microsoft – give us new definitions. Can't wait. Have several VM in Azure that use all memory available and finally stops responding.
Microsoft has just released a update for this issue in the form of new definitions
Form tomorrow 2022-04-21 I have the same issue on several computers also with the latest definitions.