SOLVED

Defender problems after August 2023 updates

Copper Contributor

 

After the August update most of my computers have started to give a problem, the Defender Engine for some violation in the access and does not start.

 

The directory C:\ProgramData\Microsoft\Windows Defender\Definition Updates already occupies in some computers more than 80 GB and we are about to block more than 100 systems.

We see in the disk access process msmpeng.exe running and accessing data even though the service is stopped.

Does anyone have any idea what can happen? until august everything was OK.

We appreciate any information this is being critical for us.

 

 

Application name with errors: MsMpEng.exe, version: 4.18.23070.1004, timestamp: 0x6b35f94b
Buggy module name: mpengine.dll, version: 1.1.23070.1005, timestamp: 0x81234765
Exception code: 0xc0000005
Error offset: 0x000000000000001052a4
Process identifier with errors: 0x4a0c
Application start time with errors: 0x01d9d500f5ab9731
Path of the application with errors: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23070.1004-0\MsMpEng.exe
Path of the module with errors: C:\ProgramDataMicrosoft Windows Defender Definition Updates{2EA91686-B008-42A3-BF6B-107CF30019A3}mpengine.dll
Report Identifier: 0765efea-466f-467d-ad8b-d8f8e85c8d64
Full name of the package with errors:
Relative application identifier of the package with errors:

7 Replies
did you try to re-onboard one of the devices with a new onboarded package and check if the issue persists ?
Ummm, is it possible with INTUNE, we have never done it before, I will see.
also if your facing a high CPU and disk Usage, exclude defender from scanning his own folder located in C:\Program Files\Windows Defender
Hello.

We have removed the equipment from the MDE and we have re-onboarded it, the service continues to give a Crash and this team has given probelmas from last night that has been when it has been updated to defend August, We can not run anything with mpcmdrun because the service is stopped.

I am going to open urgent case my computers are running out of space.

Thank you! !!!
Is the agent active on the devices and checking in with Defender? How did you establish that the service down?
If the agent is active in the console, and shows as all services are in version 0.0.0.0.0.

The service is continuously producing an APPCrash as I copied in my first post.

The directory C:\ProgramData\Microsoft\Windows Defender\Definition Updates has a size of 130 GB and it keeps creating directories {00000000-xxxxxxx

ode LastWriteTime Length Name
---- ------------- ------ ----
d----- 08/21/2023 9:00 Backup
d----- 04/04/2022 19:07 Default
d----- 07/12/2019 10:14 NisBackup
d----- 03/21/2022 16:45 StableEngineEtwLocation
d----- 22/08/2023 13:02 Updates
d----- 22/08/2023 3:47 {000AABA1-776B-4852-B045-2C0417C027AC}
d----- 22/08/2023 17:51 {000FBE6E-9FC1-4A31-A6DE-F5A694373F5A}
d----- 22/08/2023 10:06 {001BEFE8-7DC7-4FCE-A1C0-75A38E5E02CE}
d----- 22/08/2023 21:02 {0028950D-8634-426E-BB7A-BA0FD3D0E9AA}
d----- 22/08/2023 15:48 {0028FF2F-FB40-4ACA-A7B1-EEE4B2AD51E9}
d----- 22/08/2023 13:59 {003F62C4-4DFF-4796-A756-EE0C249B8915}
d----- 22/08/2023 22:20 {0040ABAA-EA69-4F70-8D83-37C165F92466}
d----- 22/08/2023 19:40 {00683375-AADF-4D9E-8375-576BD4CF422A}



This is an output of Get-MPComputerStatus where you see the process stopped.


AMEngineVersion : 0.0.0.0.0
AMProductVersion : 4.18.23070.1004
AMRunningMode : Not running
AMServiceEnabled : False
AMServiceVersion : 0.0.0.0.0
AntispywareEnabled : False
AntispywareSignatureAge : 4294967295
AntispywareSignatureLastUpdated :
AntispywareSignatureVersion : 0.0.0.0.0
AntivirusEnabled : False
AntivirusSignatureAge : 429496967295
AntivirusSignatureLastUpdated :
AntivirusSignatureVersion : 0.0.0.0.0
BehaviorMonitorEnabled : False
ComputerID : AF02E9C0-B59A-4A18-AFEA-CA1A21D2D7FC
ComputerState : 0
DefenderSignaturesOutOfDate : False
DeviceControlDefaultEnforcement : N/A
DeviceControlPoliciesLastUpdated : 01/01/1601 1:00:00:00
DeviceControlState : N/A
FullScanAge : 4294967295
FullScanEndTime :
FullScanOverdue : False
FullScanRequired : False
FullScanSignatureVersion :
FullScanStartTime :
IoavProtectionEnabled : False
IsTamperProtected : False
IsVirtualMachine : False
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : False
NISEngineVersion : 0.0.0.0.0
NISSignatureAge : 4294967295
NISSignatureLastUpdated :
NISSignatureVersion : 0.0.0.0.0
OnAccessProtectionEnabled : False
ProductStatus : 1
QuickScanAge : 4294967295
QuickScanEndTime :
QuickScanOverdue : False
QuickScanSignatureVersion :
QuickScanStartTime :
RealTimeProtectionEnabled : False
RealTimeScanDirection : 0
best response confirmed by AndresMoralesamf5979 (Copper Contributor)
Solution

@AndresMoralesamf5979 

 

Good morning ,

The problem is a defender BUG when you are defining exclusion rules by process of the type :Process: "msaccess.exe"} If you remove the exclusion rules, defender starts without problems. It seems that the problem will be solved in the month of September.

Regards

1 best response

Accepted Solutions
best response confirmed by AndresMoralesamf5979 (Copper Contributor)
Solution

@AndresMoralesamf5979 

 

Good morning ,

The problem is a defender BUG when you are defining exclusion rules by process of the type :Process: "msaccess.exe"} If you remove the exclusion rules, defender starts without problems. It seems that the problem will be solved in the month of September.

Regards

View solution in original post