MsMpEng.exe High CPU Usage

We've recently migrated about 40 pcs to to FCS. PC's includeXP professional computers with sp2 and those with sp3 and Vista Business with Sp1.

A number of users have complained about MsMpEng.exe's intrusiveness. This is evident by high CPU usage and slowing Outlook and number of other in house applications.
I have setup exclusions for the directories for in-house apps. However when users browse these folders they witness high CPU usage.

Prior to FCS we used CA Inoculate which didn't require so many files and directories to be excluded.

Is there a setting where it is possible to make FCS less aggressive?

I need to find a way to get users pc back to the performance levels pre FCS and soon. Help please.

June 17th, 2008 7:40am

What type of files are included in these sub directories?
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2008 3:40am

Steve Dodson - MSFT - Posted on Saturday, 21 June 2008 1:40:10 PM What type of files are included in these sub directories?

.doc, .xls, .ppt. , .zip, .rar, and .bak



I have now added exclusions for all exes developed in house. Exclusions for .doc, .xls, .ppt. , .zip, .rar, and .bak. Exclusions have been set for the root share where documents are stored.
Also I have implemented changes discussed athttp://support.microsoft.com/kb/822158.

Yet still when I browse a directory containing the exe's or a network sharewhich has been excludedMsMpeng.exe goes nuts, crippling the performance of the machine.

Im not sure if it is protecting network drives or something similar but copying exes onto the server takes about 4-5 mins now (used to take about 30 seconds) and even accessing any folder that has our exes loaded in there takes about 1 min before I can do anything in that folder, despite exclusions.

I have already uninstalled Live Care from my home pc, which interestingly asked me to fill out a survey with a number of the questions specifically asking how Live Care impacted performance. Micosoft must be aware of pefornace issues and the intrusiveness of the antimalware apps. Forums are full of complaints. What is being done to resolve these issues.

If I can't get these performance issues sorted my users will be demanding the we revert to Inoculate.

  • Edited by Agilbert2003 Monday, June 23, 2008 10:30 PM added more detail
June 23rd, 2008 12:27am

Steve Dodson - MSFT - Posted on Saturday, 21 June 2008 1:40:10 PM What type of files are included in these sub directories?

.doc, .xls, .ppt. , .zip, .rar, and .bak



I have now added exclusions for all exes developed in house. Exclusions for .doc, .xls, .ppt. , .zip, .rar, and .bak. Exclusions have been set for the root share where documents are stored.
Also I have implemented changes discussed athttp://support.microsoft.com/kb/822158.

Yet still when I browse a directory containing the exe's or a network sharewhich has been excludedMsMpeng.exe goes nuts, crippling the performance of the machine.

Im not sure if it is protecting network drives or something similar but copying exes onto the server takes about 4-5 mins now (used to take about 30 seconds) and even accessing any folder that has our exes loaded in there takes about 1 min before I can do anything in that folder, despite exclusions.

I have already uninstalled Live Care from my home pc, which interestingly asked me to fill out a survey with a number of the questions specifically asking how Live Care impacted performance. Micosoft must be aware of pefornace issues and the intrusiveness of the antimalware apps. Forums are full of complaints. What is being done to resolve these issues.

If I can't get these performance issues sorted my users will be demanding the we revert to Inoculate.

  • Edited by Agilbert2003 Monday, June 23, 2008 10:30 PM added more detail
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2008 12:27am

Disabling Real-time monitoring has resolved the issue which is less then ideal. I think it was the 'On AccessScanning' that was the killer.
Is it possible to disable'On Access Scanning ' without disabling the other functions of Real-time Monitoring?
June 24th, 2008 9:57pm

We saw the same issue here, but with the Full Scan, which I suppose can be expected to a degree, the same process using 40-50% of the procesor. However, this issue led us to only run a full scan once a week, such was the impact on the users.

Wonder why the full scan is scheduled for 2am automatically in new FCS policies - this is no use at all for PC`s, unless we all believe the Windows Vista energy use statistics and leave pc`s on all night, hmmm.

Free Windows Admin Tool Kit Click here and download it now
June 25th, 2008 5:47pm

Hello,

i have lenovo T61 + Vista SP1 + Access Connections 5 + Microsoft forefront Client Security

And i also had msmpeng problems draining CPU.

I used FileMon (http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx) to see what is msmpeng.exe doing.

I found out that msmpeng is checking "AccConnAdvanced.html" file in "C:\Users\Public\Documents" and after putting that folder to Exclusions, my problem was solved !

Best Regards

Nikola
April 22nd, 2009 8:52am

This does seem to be a common problem with ThinkPads, as I'm observing it on the Lenovo X200 ThinkPad. The file AccConnAdvanced.html is a network activity log written by default by the network drivers.

It can be resolved by turning off the logging in the ThinkVantage Access Connections app:

  1. Open ThinkVantage Access Connections
  2. Select the Tools tab
  3. Click the Diagnostics button
  4. Select the Event Log tab
  5. Click the Disable Logging button

This solution is preferable to excluding the \Users\Public\Documents folder all together, as it is, shall we say, a not-unlikely candidate for a working directory for nefarious activity.

These on-access scanners such as MSE really should have some heuristics built in to identify files which are being written to constantly and thus incurring high scanning effort. They could then provide some information to users to help them make educated decisions about whether they really require that level of viewing. It's hardly a solution to either a) take an ongoing 50-100% CPU penalty or b) lead a user to disable on-access scanning altogether (and just to make sure nothing nasty is written to an HTML file!)

Free Windows Admin Tool Kit Click here and download it now
July 5th, 2011 8:18am

Did you ever come up with a sensible solution to this?

I'm seeing the same thing on my SharePoint server, where FCS is still scanning folders that are in the exclusion list.  In fact, even if I put the appropriate .EXE files in the process exclusion list, they still scan files touched by the excluded processes.

I really don't want to be turning FCS off...

And yes, I'm aware that FCS has been superceeded by System Center End Point Protection, but tell that to our Ops team...

May 11th, 2015 9:36pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics