anavem.
Critical RiskWindowsLegitimateCommonly Abused
MsMpEng.exeSECURITY SOFTWARE

MsMpEng.exe - Windows Defender Antimalware Engine Security Analysis

MsMpEng.exe is the **Windows Defender Antimalware Service Executable**, the core engine of Windows Security. It runs with **SYSTEM privileges** and is a **high-value target** for attackers. Attackers attempt to **disable, bypass, or exploit** Defender. Any tampering with MsMpEng.exe indicates sophisticated attack activity.

Risk Summary

CRITICAL priority for SOC triage. MsMpEng.exe is Windows Defender's core process. Monitor for attempts to terminate, disable, or modify this process. Its absence or unexpected behavior indicates security compromise or advanced malware.

Overview

What is MsMpEng.exe?

MsMpEng.exe is the Windows Defender Antimalware Service Executable.

Core Functions

Threat Detection:

  • Real-time file scanning
  • Behavior monitoring
  • Cloud-based protection
  • Exploit protection

Security Significance

  • Critical Security: Primary Windows defense
  • SYSTEM Privileges: High-value target
  • Protected Process: PPL protection
  • Attack Target: Malware attempts to disable

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\ProgramData\Microsoft\Windows Defender\Platform*\MsMpEng.exe
Parentservices.exe
UserNT AUTHORITY\SYSTEM
ProtectionProtected Process Light (PPL)
NetworkMicrosoft cloud endpoints

Process Hierarchy

services.exe
└── MsMpEng.exe (Windows Defender)
    └── MpCmdRun.exe (CLI operations)

Common Locations

C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exeC:\Program Files\Windows Defender\MsMpEng.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe
Parent:      services.exe
User:        NT AUTHORITY\SYSTEM
Status:      Running continuously

SUSPICIOUS

Path:        C:\Windows\MsMpEng.exe (wrong location)
             C:\Temp\MsMpEng.exe
Status:      Not running
Behavior:    Terminated unexpectedly
             Modified or replaced

Warning Signs

IndicatorMeaning
MsMpEng.exe not runningDefender disabled/killed
Wrong pathMasquerading malware
Terminated by processAttack in progress
Modified binaryRootkit/tampering

Abuse Techniques

Attack Techniques

Technique #1: Service Termination (T1562.001)

Disable via Registry:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1

Disable via PowerShell:

Set-MpPreference -DisableRealtimeMonitoring $true

Technique #2: Process Termination (T1489)

taskkill /f /im MsMpEng.exe
:: Usually blocked by PPL

Technique #3: Exclusion Abuse (T1562.001)

Add-MpPreference -ExclusionPath "C:\malware"
Add-MpPreference -ExclusionProcess "malware.exe"

Technique #4: CVE Exploitation

Historical Defender vulnerabilities:

  • CVE-2021-1647: RCE in mpengine.dll
  • CVE-2017-0290: RCE via malformed file

Detection Guidance

Detection Strategies

Priority #1: Defender Status Monitoring

Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled
# Both should be True

Priority #2: Termination Attempts

Process = "taskkill.exe" AND
CommandLine CONTAINS "MsMpEng"
→ ALERT: CRITICAL - Defender termination attempt

Priority #3: Exclusion Modifications

Process = "powershell.exe" AND
CommandLine CONTAINS "Add-MpPreference" AND
CommandLine CONTAINS "Exclusion"
→ ALERT: HIGH - Defender exclusion added

Priority #4: Registry Tampering

RegistryModification = "Windows Defender" AND
Value = "DisableAntiSpyware"
→ ALERT: CRITICAL

Remediation Steps

Protection and Remediation

Defense: Tamper Protection

Enable Tamper Protection in Windows Security.

Defense: Monitor Defender Status

$status = Get-MpComputerStatus
if (-not $status.RealTimeProtectionEnabled) {
    Write-Warning "Defender Real-Time Protection DISABLED!"
}

If Compromise Suspected

  1. Verify Defender status immediately
  2. Check for added exclusions
  3. Review Defender registry settings
  4. Check for tampering with binaries
  5. Re-enable if disabled
  6. Run full scan

Investigation Checklist

Investigation Checklist

  • Verify MsMpEng.exe is running
  • Check process path is legitimate
  • Verify parent is services.exe
  • Review Defender exclusions
  • Check registry for disable flags
  • Review Defender event logs
  • Check Tamper Protection status
  • Verify binary signature

MITRE ATT&CK Techniques

T1562.001T1489T1036.005

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026