Windows Defender network inspection service fails to start

South Park

Level 9
Verified
Well-known
Jun 23, 2018
431
Yes, but not only for using Defender. I suggest disabling Memory Integrity protection for general compatibility or using it as an experimental feature with the assumption that it can occasionally break something.
I think that Memory Integrity was preventing me from running a chkdsk /r, which failed at 99% and didn't correct errors. When I disabled Memory Integrity and ran it again, the chkdsk eventually completed and did fix the bad sectors (for now). I'll probably leave Memory Integrity off as long as I'm having hard disk problems.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
It's obvious that Code integrity isn't compatible with all products yet which is why it's off by default and should remain that way for the time being but it's stupid of Microsoft to not make their own products compatible with code integrity. Didn't they test whether the new platform version is compatible or not! Maybe they forgot because WD employees themselves don't use code integrity 😒
PS: My device don't even support all the features needed for code integrity so I'm just relaxing and watching you guys having problems 😄
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
System-wide anti-exploit solutions can always produce issues. Using such a setup without auditing and detailed event logging is not a good idea. So, for most users, the better solution is just updating frequently.

Generally, in the home environment, it is easier to apply the setup which is focused on preventing malware, than the setup which is based on mitigating the malicious actions.
The situation in enterprises is very different due to common (not patched) system/software vulnerabilities, network vulnerabilities, remote administration vulnerabilities, server vulnerabilities, etc. It is very hard to prevent malware - the large attack surface requires strong mitigations to make the attack less painful and save time to neutralize malware.

Edit.
There can be some reason for using basic anti-exploit protection for concrete applications, plugins, addIns, and extensions that are commonly abused in the wild. One of such simple mitigations is blocking/restricting child processes.
 
Last edited:

plat

Level 29
Top Poster
Sep 13, 2018
1,793
After looking at the MS Community thread linked earlier, it seems these two services are running together for some. I enabled Memory Integrity again earlier, and in fact, Nis.serv is running in Services. No warnings in Event Viewer yet. Anyone else?

Goody, cake and eating it too. 😊🍰 Hope it lasts. Antimalware client is 4.18.2008.4.

nis.servmemint.png
 
F

ForgottenSeer 85179

Thanks to this Wilder's post, it works again!

For anyone who still needs to update the platform, the fix that worked was to run the following from an elevated command prompt:

Code:
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine" /f /v MpCampRing /t REG_DWORD /d 3
control /name Microsoft.WindowsUpdate
(enforce searching for updates!)

After the restart i enable all virtualisation stuff in group policy again and voila:
HVCI.png
 

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Thanks to this Wilder's post, it works again!
But why isn't the fix coming from Windows Update? This bug has given WD and M$ a black eye for me. Quirks, funky GUI I can live with, not major bugs that affect protection.

I'm sorry to say Bitdefender Free has given me no problems so I'll wait for M$ and not have to hack a solution.
 

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
But why isn't the fix coming from Windows Update? This bug has given WD and M$ a black eye for me. Quirks, funky GUI I can live with, not major bugs that affect protection.

I'm sorry to say Bitdefender Free has given me no problems so I'll wait for M$ and not have to hack a solution.
OR...... you could try WiseVector StopX ? :unsure: I am using WD for about a month now and had a hiccup with it today myself.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
But why isn't the fix coming from Windows Update?

For info--I was in the dark like almost everyone else, believe me: one *should* be getting the updates to the Antimalware Platform via Windows Update. The version that appeared to fix the conflict between Network Inspection Service and Memory Integrity was version 4.18.2008.4. The latest client version is 4.18.2008.7. Mine is 4.18.2008.8 but this could be due to Windows 2009. Someone on 2004 maybe can check this out.

@South Park posted the solution that would trigger the update to the client if it wasn't happening previously. He actually posted a valuable piece of information. (y)
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
But why isn't the fix coming from Windows Update? This bug has given WD and M$ a black eye for me. Quirks, funky GUI I can live with, not major bugs that affect protection.

I'm sorry to say Bitdefender Free has given me no problems so I'll wait for M$ and not have to hack a solution.
I remember about a few major issues over the latest years in Bitdefender, something like that has been happening to almost all major antivirus vendors, so why every time starting to bash other AVs and claiming my own AV is without major-issues, all makes no sense at least to me ;)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
When comparing my WD updates with several posts on Wilderssecurity and MT, I noticed that my updates were always fresh without doing anything (default update settings). For example, I got a ver. 4.18.2008.4 two weeks ago, and ver. 4.18.2008.8 just today when I have turned on my computer. Both were done automatically via Windows Updates.
I looked at my Registry:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\MpEngine]
"MpCampGradualRelease"=dword:00000001
"MpCampRing"=dword:00000003
"MpEngineRing"=dword:00000003
"MpGradualEngineRelease"=dword:00000001

So, the registry value MpCampRing=3 is already there (I did not tweak it). From another thread (https://www.tenforums.com/antivirus...lware-platform-4-18-2001-6-only-one-pc-3.html) it seems that some machines have stuck with different registry values MpCampRing and MpEngineRing, that can cause slower WD platform updates.:unsure:(y)

It is probable, that after disabling WD and using another AV for some time, Windows does not install some updates related to WD. Next, when the user starts using WD again Windows Updates may have a problem with installing all needed updates (including older ones). As we know, Windows Updates are not perfect. 🙃
There are some speculations that MpCampRing and MpEngineRing can be pushed to random users for beta testing.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
When comparing my WD updates with several posts on Wilderssecurity and MT, I noticed that my updates were always fresh without doing anything (default update settings). For example, I got a ver. 4.18.2008.4 two weeks ago, and ver. 4.18.2008.8 just today when I have turned on my computer. Both were done automatically via Windows Updates.
I looked at my Registry:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\MpEngine]
"MpCampGradualRelease"=dword:00000001
"MpCampRing"=dword:00000003
"MpEngineRing"=dword:00000003
"MpGradualEngineRelease"=dword:00000001

So, the registry value MpCampRing=3 is already there (I did not tweak it). From another thread (https://www.tenforums.com/antivirus...lware-platform-4-18-2001-6-only-one-pc-3.html) it seems that some machines have stuck with wrong registry values MpCampRing and MpEngineRing, that can cause problems with WD platform updates.:unsure:(y)

It is probable, that after disabling WD and using another AV for some time, Windows does not install some updates related to WD. Next, when the user starts using WD again Windows Updates may have a problem with installing all needed updates (including older ones). As we know, Windows Updates are not perfect. 🙃
There are some speculations that MpCampRing and MpEngineRing can be pushed to random users for beta testing.
Am I doing something wrong?
I don't have those keys.
After adding them and doing windows update, I got the platform update 4.18.2008.8.
But when I look in the registry again the keys are gone...
Schermafbeelding 2020-08-28 120928.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Am I doing something wrong?
...
No. I have just configured a friend's laptop and these registry keys are absent too. The Windows has been freshly updated from Windows 1909 to 2004 with WD platform ver. 4.18.2007.8 .
I have the impression that this can be related to Windows telemetry settings or the telemetry that has been already gathered by Microsoft about the customers.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I checked my computers.
Three machines have updated to ver. 4.18.2008.8 with MpCampRing and MpEngineRing values = 2 or 3 (one machine had values = 2, other machines had these values = 3).

My wife's machine does not have these values at all and got the update at the beginning of August to ver. 4.18.2007.8 (the previous update was 4.18.2006.10 at the beginning of July).
It seems that stable ver. is still 4.18.2007.8 and this machine will probably update at the beginning of September. (y)

Edit.
The information about the current stable version can be found as follows:
For now, it is platform ver. 4.18.2007.8 and engine ver. 1.1.17400.5.
I suspect that the beta platform availability depends on the telemetry gathered about the customer.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top