Microsoft Antimalware - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Error Code: 0x80004005.

Question

Hyper V servers running Windows 2012 R2 with latest Monthly patches.

Microsoft Antimalware On Access keeps failing and causes issues of severe slowness when trying to RDP to the server while the issue is present.

Log Name: System
Source: Microsoft Antimalware
Date: 6/04/2022 11:01:57 a.m.
Event ID: 3002
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ****************
Description:
Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x80004005
Error description: Unspecified error
Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.

Only way to fix this is to run psexec and apply full permissions to Admin for the AV Service and then Kill all threads which then restarts the engine and it comes back online.

Looking at Resources does not appear to be an issue as some are at 90% and others at 60%+ memory wise and no CPU issues.

Current Av details:
PS C:\Users\a-brettd> Get-MProtComputerStatus

AMEngineVersion : 1.1.19000.8
AMProductVersion : 4.10.209.0
AMServiceEnabled : True
AMServiceVersion : 4.10.209.0
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 6/04/2022 1:48:21 a.m.
AntispywareSignatureVersion : 1.361.1381.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 6/04/2022 1:48:22 a.m.
AntivirusSignatureVersion : 1.361.1381.0
BehaviorMonitorEnabled : True
ComputerID : 31B0DF91-DA31-19DF-A6E7-ED57D7273724
ComputerState : 0
FullScanAge : 4
FullScanEndTime : 2/04/2022 7:45:45 a.m.
FullScanStartTime : 2/04/2022 2:00:39 a.m.
IoavProtectionEnabled : True
LastFullScanSource : 2
LastQuickScanSource : 2
NISEnabled : True
NISEngineVersion : 2.1.14600.4
NISSignatureAge : 1
NISSignatureLastUpdated : 5/04/2022 12:45:08 p.m.
NISSignatureVersion : 119.0.0.0
OnAccessProtectionEnabled : False
QuickScanAge : 0
QuickScanEndTime : 6/04/2022 1:23:14 a.m.
QuickScanStartTime : 6/04/2022 1:01:30 a.m.
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
PSComputerName :

Server has been up for at least 20 days and does not happen after a restart

If I had to pick a culprit I would possibly say it happens not long after it updates it's defs.

Any help appreciated.

Answer 1

This is also happening on other Hyper V servers 5 in total so far so not a one off.

Answer 2

@Brett Duncan I think we experienced this same issue across an assortment of 2012 servers, but at this point I'm not sure if we can prove a direct causal relationship between the severe slowness and the MS Anti-malware Real-time protection alone, recent signature updates, some other applications, or a combination. Have you been able to definitively show its the anti-malware causing the issue? And are you by chance also using either Commvault (snapshot or file system level) or Tripwire?

Answer 3

It is most definitely because the Av realtime is not running that the RDP session is slow. You cannot start the realtime without killing the AV Engine using PSexec and Process Explorer. Once this is done the RDP session returns to normal operational speeds and Realtime starts up again. Backups are done via Arcserve agent based.