Reports are starting to filter in that a recent Forefront Endpoint definition update is causing the Endpoint Protection engine (MsMpEng.exe) to crash and cause Windows XP and Windows Server 2003 systems to run extremely slowly, and in some cases, hang.

The definition update is 1.171.1.0.

Microsoft has suggested a workaround until a new definition file can be released.

Current Workaround:

Disable Behavior Monitoring feature, either in the policy or via the SCEP UI.

UPDATE: I'm also being told (thanks Bart Surminski!) that a beta version of the definition will also fix this. You can download the definition beta here: http://support.microsoft.com/kb/939757. Latest pre-release definition version is 1.171.67.0. You can read more about beta definitions here: Microsoft pre-release definition updates.

How to Disable Behavior Monitoring feature

  1. Configure Policy with SCCM
  2. Configure Policy by GPO
  3. Distribute the Machine Startup/Shutdown Script in registry by using GPO

Batch: reg add "HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_dword /d 1 /f

 

You can also set below registry value to disable BM:

 

HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection

DisableBehaviorMonitoring = 1  (REG_DWORD)

 

This issue coincides with the release of a new Antimalware Engine (1.1.10501.0) released to all Microsoft Security Essentials, Forefront Client Security, Forefront Endpoint Protection, Windows Intune Endpoint Protection, and Windows System Center Endpoint Protection customers on 15 April 2014.

 

P.S. Windows XP support ended on April 8, 2014. Microsoft has promised to continue to provide antimalware updates until June of 2015, but as shown in this update, Windows XP is not a top priority for Microsoft. You'd do well for yourself (and your company) to migrate to a newer operating system as soon as possible.

P.S.S. This issue also affects Microsoft Security Essentials.