TTLG|Thief|Bioshock|System Shock|Deus Ex|Mobile
Results 1 to 10 of 10

Thread: Microsoft security essentials replacement

  1. #1
    Registered: Apr 2002
    Location: Third grave from left.

    Microsoft security essentials replacement

    Recently it has started malfunctioning - sporadically eating up all CPU resources it can for no discernible reason. Win7.

    I have never installed any other antivirus or anything like that - recently or otherwise. Google-fu tells that it is caused by some resource race conflict (basically spinlocking the CPU to death) ... MSE does not seem to have any logs or any kind of useful instrumentation i can find.

    So, it is dead and i am in need of replacement. Unfortunately, the malware protection ecosystem has always been a disaster. Filled with FUD nonsense, lying and muddling - even from the absolute leaders. Very hard for a random dude, me, to tell which is worth the inconvenience they bring. Given this, i am not willing to pay for it (that is why i was fine with just using MSE).

    What are You using and why?

    Is it configurable?
    Has it full system integration?
    Does it have good behavior based protection? (ie, ex: block unknown ransom-ware-like behavior)
    What overhead does it have?
    What does it do? (ex: in comparison to MSE)

  2. #2
    Registered: Sep 2003
    Location: Cambridgeshire UK
    Update your OS to Win 10 (or even 8 ) and use the built in Windows Defender.

  3. #3
    Registered: Apr 2002
    Location: Third grave from left.
    Windows Defender is sub-component of MSE (the malfunctioning process IS Windows Defender). The common malfunction experienced here is not OS version dependent. Changing the OS will do nothing (besides having a really terrible OS to wrangle with. I do have Win10 machines in house - just not for serious work).

  4. #4
    Registered: Sep 2003
    Location: Cambridgeshire UK
    That's what it used to be. Windows Defender is now something completely different but misleadingly with the same name. Changing the OS will get you the new, different, more effective Defender. See here.

  5. #5
    Registered: Apr 2002
    Location: Third grave from left.
    I was simplifying a bit. WD and MSE are, from users perspective, just user interfaces for various system-integrated services/tools/whatever. While the interfaces and features have changed a lot - some of the components have hardly changed at all. MsMpEng is one of the underlying support-service-thingies used by WD/MSE in various ways and to a changing extent. However, as far as i know, there have been no fundamental changes (relevant to the topic) in it and it is still a well known source of trouble (spin-lock behavior in race conditions caused by "conflictig" software) - Win10 CU and otherwise. My best bet is that one of my installable filesystem (IFS) drivers has had an unfortunate timing change that trips up MsMpEng interception - causing a spin lock. The trouble coincides with latest IFS update, but cannot test/change that.

    Whatever the cause and/or solution is - Win10 is irrelevant to the topic. I am using Win7.


  6. #6
    Registered: Sep 2001
    Location: Qantas
    It could be any one of a number of causes, including actual malware. One common problem that I've run into is the real-time protection continuously scanning another process because it thinks something unusual is going on. If you have one application that is particularly sluggish when MSE is acting up, try closing it and see if MSE settles down. If not, then close all apps, one by one, while observing MSE. Kill any non-essential processes.

    If you can't find any specific app or pattern that triggers it, you can try rolling back recent updates one by one. If you're still stuck, you might consider doing a full scan with another anti-malware program. If it scans clean, you can try uninstalling and re-installing MSE.

    Anyway, there have been major changes to Microsoft's anti-malware and the overall level of OS security from Win 7 to Win 10. I'm not a big fan of Win 10, but security is one area they have improved a lot.

  7. #7
    Registered: Sep 2003
    Location: Cambridgeshire UK
    Quote Originally Posted by zombe View Post
    .... it is still a well known source of trouble (spin-lock behavior in race conditions caused by "conflictig" software) - Win10 CU and otherwise.
    Links please - nothing about spinlock with Win 10 Defender comes up using Google.

  8. #8
    Registered: Mar 2001
    Location: Ireland
    Have you tried reinstalling Windows 7?

  9. #9
    Registered: Apr 2002
    Location: Third grave from left.
    This is really getting on my nerves.

    Ok, serious time.

    Subject: MsMpEng.exe.
    Use-case: user doing f* all, just staring at Windows Task Manager with minimum of programs open (Firefox being the main one).

    For long stretches of time (several minutes), nothing odd happens. Total CPU usage is at 0 or occasionally 1%.
    Then it will use 100% of one physical thread CPU time (25% of total CPU time in my case) for ~40 seconds. It gets stuck in some unfruitful busy loop (*).
    This cycle repeats endlessly.

    Let's commence digging around at the time of failure to find out WTF it is doing:

    Roughly a million IO reads are requested.
    Exactly 0 IO writes and other IO operations are requested.

    Resource Monitor does not tell anything useful
    Except that it is using 25 logical threads for something (the thread count never changes, most is probably cache for capture). No idea what for as the failure eats only one physical thread which tells with virtual certainty that the fault is limited to exactly one logical thread and nothing else.

    SysInternals procmon (btw, for no reason i can fathom, it requires Workstation service or it just won't start and fails silently - in case you encounter this problem down the line).

    The offending millions of read requests are for: C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpenginedb.db. (ie, subfolder of where the malfunctioning MsMpEng is)
    Read offsets are incremental with considerable chunks skipped.
    edit: actually, there is a bit of locally non incremental hoping around also.
    Read size, always just one page.
    Very typical DB lookup behavior.
    One such read cycle is roughly 3000 reads. Lets call it "BAD" cycle (vs "OK" cycle with only a few dozen read requests). Where "BAD" means just an extensive and expensive lookup - not any kind of fault.

    Cycles from start of presumed failure:
    BAD: Activity in Firefox profile folder. Normal stuff (state updates).
    OK: Some other program (some kind of state file again for some Microsoft thingie).
    Many OK: Super small lookups (OS and FF files) with most not producing any or hardly any DB lookups.
    BAD: Hard to say what, it is interleaved at the start. There is concurrency (**) with the "Many OK". One FF state file among them and likely the one requiring a full BAD cycle (the rest are windows OS stuff which seem to end their check characteristically very shortly or with no reads at all [or serialized to a later date] - signature/already-checked or some other fast path probably).
    BAD-BAD-BAD: cannot guess-associate any file with them as at the time of BAD cycle start there are no file interceptions (except an occasional FF state file). Either some stuff from "Many OK" serialized to this time or the shit is about to hit the fan.
    SHIT-HITS-THE-FAN: GIGANTIC cycle that is MANY (eyeballing ~20+ [edit: adjusted estimate]) "BAD" cycles *interleaved*. A big mud-ball of busy-looping nonsense as it essentially does not do any useful work at all.
    edit: the gigantic bud-ball itself is also repeating multiple times (full procmon capture is too big to bother taking).

    This shitfest matches closely the common "conflict" behavior described everywhere in MS explanations.

    What causes the conflict in my case? No-one knows and i have no means to track that.


    The few FF state file cycles for the full failure event seem to be always for the same file - which is different per failure. So, cannot exclude any specific file, but it might signify FF has the rapidly repeating access pattern for some of its .js state files that trigger the failure in the file interception / database lookup of antimalware component employed by MD and MSE.

    Excluded the entire FF profile folder from scan as a nuclear solution to the problem.
    Not sure whether there are any too-worrying threat vectors there (there certainly ARE, just not sure how significant) - excluding me myself ever installing any from any threat considerations.
    * There have been no failures for hours now. *
    Will see if something else crops up that also triggers the failure.
    edit: nothing else has come up so far

    *) ie. "spin-lock behavior". It is a programmer-world term and no normal user would use it to describe anything ever - sorry for using it.
    **) concurrency is only in interception, not in DB read cycles.
    Last edited by zombe; 12th Aug 2018 at 02:06.

  10. #10
    Registered: Oct 2009
    Location: Pawtucket,Rhode Island
    I know its not free but overall I have been very impressed by Bitdefender Total Security.Its covers it all,Anti-Virus,Firewall,Anti Malware,and Anti Ransomware plus its very proactive and hands off and its never given me much trouble and it does its job very well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts