I hope this is the right place to post this question about System Center Endpoint Protection (which I understand used to be Forefront Endpoint Protection, so hopefully I'm right). 

For a while now, we've been using Microsoft's System Center Endpoint Protection within our virtual machines that we deploy using VMware View. For that last few years, everything has been running just fine.  However, we recently updated the installation files to the latest version (for compatibility for Windows 8.1) and have since noticed an odd issue that has a huge performance hit on our virtual environment. 

After we provision a virtual machine from our gold image (which has System Center Endpoint Protection installed and updated in it), we noticed the machines will start to run an idle task shortly after they are started up that takes up about 30-50% of the VMs CPU (which, has a drastic effect on the hosts and their CPU usage). After some monitoring, what I've noticed is that, within the Task Scheduler, after about 20-30 minutes of the machine powering on, a new task gets created called MpIdleTask under Microsoft\Microsoft Antimalware. This task is not present at all in the gold image, and doesn't appear until after the virtual machine is on for about 30 minutes.  It is this task, I believe, that is running and killing our CPU resources.  Note that the task is removed, after it's been run for a couple hours.

My questions are, what is this task that is getting created, why is it getting created well after the software has been installed and running, and how can I prevent the task from being created as it has my entire deployment on hold, until I can figure it out. 

Note that I have disabled the scheduled scan for SCEP and as far as I can tell, SCEP is only doing active monitoring. 

Hi,

I find a explaination of MpIdleTask in a similar case. Hope this could help you.

"In fact, this task "MpIdleTask" exists only if no "Full Scan" has been done to the system by SCEP.

This is the registry value "SFCState" of the registry key "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft Antimalware \ Scan" which determines the need, or not, of a SCEP scan when the machine is idle.
- If "SFCState" is 0 decimal => SCEP scan occurs when PC is idle and is triggered by the task "MpIdleTask".

- If "SFCState" is 7 in decimal => this means a complete analysis has been made, and there is no need to work "MpIdleTask
     In reality as we already explained this is linked to the management of the cache optimizer used for scanning , 0 means no files are present in the cache.

In your case to avoid this mechanism that can make that clients trigger mostly at the same time such activity it will be good to have or the registry value set to 7 or even better run a FullScan on your master image."

Best Regards,

Joyce

This is promising so far in my tests, I appreciate the information. 

I'm curious though, as it seems that "SFCState" gets set to a value of 1 when you do a quick scan and it gets set to a value of 7 when you do a full scan.  Is a quick scan sufficient enough to prevent the MpIdleTask from being created?