Recently we've noticed on multiple servers that the antimalware service suddenly stops.  I can restart it only for it to stop again within what I can tell a few short hours.  We are alerted that the 'antimalware service is not running, or the antimalware engine is corrupted. To restart the service, run the recovery task in Health Explorer.'  I've tried updating the definitions which didn't help and ran a full scan.  I also ran a scan off of Microsoft Safety Scanner which netted 0 results found.  This started a few weeks ago. 

Anything else I can check besides re-installing the client?  As far as I know, this could get worse and I can't tell why this is happening on these servers and I'd like to understand the cause.  All servers are running Windows Server 2012 R2 and we use Configuration Manager 2012 R2 SP1 to manage the client.

Antimalware Client Version: 4.8.204.0

Engine Version: 1.1.11903.0

Antivirus definition: 1.203.767.0

Antispyware definition: 1.203.767.0

Network Inspection System Engine Version: 2.1.11804.0

Network Inspection System Definition Version: 115.3.0.0

Event log:

Fault bucket , type 0
Event Name: AntimalwareEngineHang
Response: Not available
Cab Id: 0

Problem signature:
P1: Microsoft Antimalware
P2: 4.8.204.0
P3: 1.1.11903.0
P4:
P5:
P6:
P7:
P8:
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_Microsoft Antima_ab796d2cb14f8953f02ca26a42dbd4f89adc432b_00000000_0066ec00

Analysis symbol:
Rechecking for solution: 0
Report Id: 9fea92ea-362c-11e5-80ce-f80f41fc3303
Report Status: 4100
Hashed bucket:

Hi,

Have you checked Endpoint Protection log files? Any information?

Endpoint Protection Log locations

Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Thanks I had looked at a few of the logs but not MpSigStub and MPCmdRun. Trying to correlate the issue at the time it occurs with the log files and the times do not match up. Every now and then all I see is this but I'm not sure if it's related.

================================= ValidateUpdate =================================

mpasdlta.vdm version in package is 1.203.1072.0, but after update machine has older version 1.203.1039.0
mpavdlta.vdm version in package is 1.203.1072.0, but after update machine has older version 1.203.1039.0

                         Watson Report:                     Position:
                HRESULT: 0x80070005                         P1      
         FailedFunction: MpUpdateEngine                     P2      
              Operation: AM Delta                           P3      
 SourceComponentVersion: 11.1.5128.0                        P4      
    SourceComponentName: mpsigstub.exe                      P5      
         ProductVersion: 4.7.209.0                          P6      
            ProductName: System Center Endpoint Protection  P7      

ERROR 0x800106ba : Failed to send error Heartbeat report for product: System Center Endpoint Protection
ERROR 0x800106ba : MpConfigSetValue(DeltaUpdateFailure)
ERROR 0x80070005 : One or more of the packages found failed to update for System Center Endpoint Protection.
ERROR 0x80070005 : One or more of the products found failed to update; returning this error
Deleted C:\Windows\Temp\17753A05-41AB-4726-BC10-395B52E89622-Sigs\MPASDLTA.VDM
Deleted C:\Windows\Temp\17753A05-41AB-4726-BC10-395B52E89622-Sigs\MPAVDLTA.VDM
ERROR 0x80070005 : MpSigStubMain
End time: 8/2/2015 9:56 PM

If nothing sticks out a reinstall might do.  Just trying to understand the issue at hand. 

Hi,

Did you find the cause of this problem?

No we re-installed the client on multiple servers and the issue has come back and even hit a few new ones including a  few file servers which is really worrisome. Any other ideas? I will be opening a case on this tomorrow.

I've opened a case and they had me take some crash dumps using the ADPlus executable on the msmpeng.exe.  

http://blogs.msdn.com/b/webdav_101/archive/2012/01/27/taking-dumps-with-the-adplus-executable.aspx

I will post the results once the logs are analyzed

• Edited by Mike Snodgrass 13 hours 15 minutes ago

I've opened a case and they had me take some crash dumps using the ADPlus executable on the msmpeng.exe.  

http://blogs.msdn.com/b/webdav_101/archive/2012/01/27/taking-dumps-with-the-adplus-executable.aspx

I will post the results once the logs are analyzed

• Edited by Mike Snodgrass Wednesday, August 19, 2015 6:34 PM
• Proposed as answer by Garth JonesMVP, Moderator Saturday, August 29, 2015 5:10 PM
• Unproposed as answer by Mike Snodgrass 14 hours 43 minutes ago

I've opened a case and they had me take some crash dumps using the ADPlus executable on the msmpeng.exe.  

http://blogs.msdn.com/b/webdav_101/archive/2012/01/27/taking-dumps-with-the-adplus-executable.aspx

I will post the results once the logs are analyzed

• Edited by Mike Snodgrass Wednesday, August 19, 2015 6:34 PM
• Proposed as answer by Garth JonesMVP, Moderator Saturday, August 29, 2015 5:10 PM
• Unproposed as answer by Mike Snodgrass Tuesday, September 01, 2015 5:07 PM

Still awaiting answer from Microsoft. I will provide the answer when I receive it.

We're starting to experience this in our environment as well; have you received any information from MS yet?