Windows Defender network inspection service fails to start

[South Park]

Yes, but not only for using Defender. I suggest disabling Memory Integrity protection for general compatibility or using it as an experimental feature with the assumption that it can occasionally break something.

I think that Memory Integrity was preventing me from running a chkdsk /r, which failed at 99% and didn't correct errors. When I disabled Memory Integrity and ran it again, the chkdsk eventually completed and did fix the bad sectors (for now). I'll probably leave Memory Integrity off as long as I'm having hard disk problems.

 

[SeriousHoax]

It's obvious that Code integrity isn't compatible with all products yet which is why it's off by default and should remain that way for the time being but it's stupid of Microsoft to not make their own products compatible with code integrity. Didn't they test whether the new platform version is compatible or not! Maybe they forgot because WD employees themselves don't use code integrity
PS: My device don't even support all the features needed for code integrity so I'm just relaxing and watching you guys having problems

 

[shmu26]

Windows has tons of optional, advanced anti-exploit features that can and will break things, but are nevertheless valuable in certain situations. That's the nature of advanced, optional features.

 

[Andy Ful]

System-wide anti-exploit solutions can always produce issues. Using such a setup without auditing and detailed event logging is not a good idea. So, for most users, the better solution is just updating frequently.

Generally, in the home environment, it is easier to apply the setup which is focused on preventing malware, than the setup which is based on mitigating the malicious actions.
The situation in enterprises is very different due to common (not patched) system/software vulnerabilities, network vulnerabilities, remote administration vulnerabilities, server vulnerabilities, etc. It is very hard to prevent malware - the large attack surface requires strong mitigations to make the attack less painful and save time to neutralize malware.

Edit.
There can be some reason for using basic anti-exploit protection for concrete applications, plugins, addIns, and extensions that are commonly abused in the wild. One of such simple mitigations is blocking/restricting child processes.

 

[plat]

After looking at the MS Community thread linked earlier, it seems these two services are running together for some. I enabled Memory Integrity again earlier, and in fact, Nis.serv is running in Services. No warnings in Event Viewer yet. Anyone else?

Goody, cake and eating it too. Hope it lasts. Antimalware client is 4.18.2008.4.

Spoiler

 

[ForgottenSeer 85179]

Thanks to this Wilder's post, it works again!

For anyone who still needs to update the platform, the fix that worked was to run the following from an elevated command prompt:

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine" /f /v MpCampRing /t REG_DWORD /d 3
control /name Microsoft.WindowsUpdate

(enforce searching for updates!)

After the restart i enable all virtualisation stuff in group policy again and voila:

 

[oldschool]

Thanks to this Wilder's post, it works again!

But why isn't the fix coming from Windows Update? This bug has given WD and M$ a black eye for me. Quirks, funky GUI I can live with, not major bugs that affect protection.

I'm sorry to say Bitdefender Free has given me no problems so I'll wait for M$ and not have to hack a solution.

 

[Tutman]

But why isn't the fix coming from Windows Update? This bug has given WD and M$ a black eye for me. Quirks, funky GUI I can live with, not major bugs that affect protection.

I'm sorry to say Bitdefender Free has given me no problems so I'll wait for M$ and not have to hack a solution.

OR...... you could try WiseVector StopX ? I am using WD for about a month now and had a hiccup with it today myself.

 

[plat]

But why isn't the fix coming from Windows Update?

For info--I was in the dark like almost everyone else, believe me: one *should* be getting the updates to the Antimalware Platform via Windows Update. The version that appeared to fix the conflict between Network Inspection Service and Memory Integrity was version 4.18.2008.4. The latest client version is 4.18.2008.7. Mine is 4.18.2008.8 but this could be due to Windows 2009. Someone on 2004 maybe can check this out.

@South Park posted the solution that would trigger the update to the client if it wasn't happening previously. He actually posted a valuable piece of information.

 

[oldschool]

OR...... you could try WiseVector StopX ?

I'm quite happy with BD. No problems whatsoever, no conflict with Memory Integrity.

 

[silversurfer]

But why isn't the fix coming from Windows Update? This bug has given WD and M$ a black eye for me. Quirks, funky GUI I can live with, not major bugs that affect protection.

I'm sorry to say Bitdefender Free has given me no problems so I'll wait for M$ and not have to hack a solution.

I remember about a few major issues over the latest years in Bitdefender, something like that has been happening to almost all major antivirus vendors, so why every time starting to bash other AVs and claiming my own AV is without major-issues, all makes no sense at least to me

 

[Andy Ful]

When comparing my WD updates with several posts on Wilderssecurity and MT, I noticed that my updates were always fresh without doing anything (default update settings). For example, I got a ver. 4.18.2008.4 two weeks ago, and ver. 4.18.2008.8 just today when I have turned on my computer. Both were done automatically via Windows Updates.
I looked at my Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\MpEngine]
"MpCampGradualRelease"=dword:00000001
"MpCampRing"=dword:00000003
"MpEngineRing"=dword:00000003
"MpGradualEngineRelease"=dword:00000001

So, the registry value MpCampRing=3 is already there (I did not tweak it). From another thread (https://www.tenforums.com/antivirus...lware-platform-4-18-2001-6-only-one-pc-3.html) it seems that some machines have stuck with different registry values MpCampRing and MpEngineRing, that can cause slower WD platform updates.

It is probable, that after disabling WD and using another AV for some time, Windows does not install some updates related to WD. Next, when the user starts using WD again Windows Updates may have a problem with installing all needed updates (including older ones). As we know, Windows Updates are not perfect.
There are some speculations that MpCampRing and MpEngineRing can be pushed to random users for beta testing.

 

[Gandalf_The_Grey]

When comparing my WD updates with several posts on Wilderssecurity and MT, I noticed that my updates were always fresh without doing anything (default update settings). For example, I got a ver. 4.18.2008.4 two weeks ago, and ver. 4.18.2008.8 just today when I have turned on my computer. Both were done automatically via Windows Updates.
I looked at my Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\MpEngine]
"MpCampGradualRelease"=dword:00000001
"MpCampRing"=dword:00000003
"MpEngineRing"=dword:00000003
"MpGradualEngineRelease"=dword:00000001

So, the registry value MpCampRing=3 is already there (I did not tweak it). From another thread (https://www.tenforums.com/antivirus...lware-platform-4-18-2001-6-only-one-pc-3.html) it seems that some machines have stuck with wrong registry values MpCampRing and MpEngineRing, that can cause problems with WD platform updates.

It is probable, that after disabling WD and using another AV for some time, Windows does not install some updates related to WD. Next, when the user starts using WD again Windows Updates may have a problem with installing all needed updates (including older ones). As we know, Windows Updates are not perfect.
There are some speculations that MpCampRing and MpEngineRing can be pushed to random users for beta testing.

Am I doing something wrong?
I don't have those keys.
After adding them and doing windows update, I got the platform update 4.18.2008.8.
But when I look in the registry again the keys are gone...

 

[Andy Ful]

Am I doing something wrong?
...

No. I have just configured a friend's laptop and these registry keys are absent too. The Windows has been freshly updated from Windows 1909 to 2004 with WD platform ver. 4.18.2007.8 .
I have the impression that this can be related to Windows telemetry settings or the telemetry that has been already gathered by Microsoft about the customers.

 

[Andy Ful]

I checked my computers.
Three machines have updated to ver. 4.18.2008.8 with MpCampRing and MpEngineRing values = 2 or 3 (one machine had values = 2, other machines had these values = 3).

My wife's machine does not have these values at all and got the update at the beginning of August to ver. 4.18.2007.8 (the previous update was 4.18.2006.10 at the beginning of July).
It seems that stable ver. is still 4.18.2007.8 and this machine will probably update at the beginning of September.

Edit.
The information about the current stable version can be found as follows:

Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence

For now, it is platform ver. 4.18.2007.8 and engine ver. 1.1.17400.5.
I suspect that the beta platform availability depends on the telemetry gathered about the customer.

 

[ForgottenSeer 85179]

I have the impression that this can be related to Windows telemetry settings or the telemetry that has been already gathered by Microsoft about the customers.

What are your settings?

 

[plat]

On Windows 10 2009 (19042.487):

Spoiler

 

[Andy Ful]

What are your settings?

I do not restrict the telemetry, so Application Experience, Customer Experience Improvement Program, and Windows Error Reporting scheduled tasks are enabled.
I turned off the privacy options:

 

[plat]

I do not restrict the telemetry

OK, great, that makes a lot of sense, Andy Ful. In order to participate in the Insiders program, one must have "optional" or Full telemetry enabled. I was wondering if there was a "latest" Platform version specific to 2009 and it seems that is NOT the case (rightfully so).

 

[Terry Ganzi]

What are you all talking about so is my update behind i'm confused. My pc is configured by me no app was used. I used Group Policy to configure my pc as always for yrs.