Anti-Tampering for the Antimalware Service in System Center Endpoint Protection 2012 SP1


Summary: This article was contributed by Amber Goins, a Senior Microsoft Premier Field Engineer. System Center Endpoint Protection (SCEP) SP1 introduced important and often-requested new Anti-Tampering features for the Antimalware service, and Amber takes us through a practical tour of how to troubleshoot this environment. Enjoy!

Microsoft System CenterSystem Center Endpoint Protection (SCEP) administrators may have noticed that after installing System Center Configuration Manager 2012 SP1 the Microsoft Antimalware Service has now been hardened to prevent tampering.  This has been a feature request by many of our customers in order to prevent tampering with the Antimalware service.

In the screenshot below you are able to see the service is running, but while logged on as an Administrator on the local machine we are not able to do anything actionable with the service such as Stop, Start, Pause, or Disable it.

Service Properties - Antimalware Service

Now that we have this hardened service in SP1, the next questions administrators ask themselves is what should they do if they’re in a troubleshooting situation and suspect that performance degradation is due to Microsoft Endpoint Protection.

Process Status can be viewed in Task Manager:

Process Status can be viewed in Task Manager

Additional steps that can be taken to troubleshoot performance issues with the SP1 Endpoint Client:

  • Verify Proper Exclusions are set by Product.  Windows exclusion lists can be found here:  Windows Anti-Virus Exclusion List 
  • Verify the process is excluded in Real Time Protection.
  • For VDI, verify a Full Scan has been run on the Master Host Image, and that persistent cache has been populated.
    • You can check the value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\SFCState – if it’s 7 then it’s complete, on initial install it will be 0
    • To force the persistent cache to generate, run (from an elevated CMD): 
      • Cd C:\Program Files\Microsoft Security Client
      • MpCmdRun.exe -buildSFC)

Test Disabling the following Endpoint Protection Components “one at a time” to see if the issue can be isolated to a specific component:

  • Disable Network Inspection System (NIS)
  • Disable Behavior Monitoring
  • Disable Real Time Protection

If it’s none of those, try to uninstall and test again.

Tools to assist during Troubleshooting:

NIS: The following update was released towards the end of last year (2012) as a Critical (non-security) Update via Windows Update.  The update basically addresses an issue with the Windows Filtering Platform that would cause the NIS feature of SCEP and FEP to drastically (up to 45 times, depending on the scenario) slow down network performance when actively protecting machines. In the case of SCEP/FEP this means the machine is missing a security update that NIS has definitions for turned on.  For details on the update, check out the associated Knowledge Base article.

WMI: Hotfix to be aware of: 2790831 – Handle leak in WMI on WS2012 and Win8.  This hotfix addresses an issue found in Windows Server 2012 (and Win8) that can be exposed when performance data is queried via WMI.  Products that regularly query WMI for performance data are SCOM, SCVMM, and SCDPM.  Since ConfigMgr also depends on WMI so heavily, you might consider this for Win8 clients if you detect the handle leak issue.

If the issue is resolved only by an Uninstall please contact Microsoft Support Services to reproduce the issue.

Note: A special thanks to Jeramy Skidmore and Diana Smith, Microsoft CSS Support Escalation Engineers, for your continuous collaboration on this topic!


Written by Amber Goins. Posted by Frank Battiston, MSPFE Editor