Forum Discussion
Process exclusions not working for MSSense.exe
I have an issue where builds often fail due to sharing violations caused by defender.
The sequence is:
- link.exe (MS VC++) creates the exe file being built
- MsSense.exe opens the exe file just built for scanning
- mt.exe (MS VC++ manifest tool) is executed to embed a manifest in the exe being built
- mt.exe fails to open the exe file due to a sharing violation.
I've confirmed with procmon that MsSense.exe is opening this exe file in between our link and manifest steps and causes the sharing violation.
I've tried adding process exclusions for link.exe and mt.exe with no change to the result. Also tried adding folder exclusions for the directory containing the source tree, also no help.
It appears that MsSense.exe is part of Advanced Threat Protection and that Defender exclusions do not apply to that. I've searched high and low for how to fix this problem with no luck.
Looking for ideas/pointers on how to add exceptions to ATP .
- dappleby300260Copper Contributor
pbarnz When i raised a support case on this only the product team can add exclusions for ATP. Its done for the whole tenant too and it took weeks before they finally added it.
Apparently there is update coming where we can add them ourselves but its still in preview (or so the engineer told me).
- XaviFCBCopper ContributorSame issue here. Our nightly builds are failing almost every day apparently for the same reason. In our case, it seems to fail randomly at different modules each day. Process Monitor also shows MsSense and from time to time MsMpEng accessing and locking some of the generated files.
- MichielJaspersCopper Contributor
We're facing the same issue in our company. We're seeing it more often on slower machines.
A colleague suggested to use MT_EXECUTE_DELAY=1000 environment variable.
- Vinod7Brass ContributorWhere should we set it? We also hvae the same issue
- C00kieMonsterBrass ContributorHow are you setting your process exclusions?
I know in our case (using group policy) it turned out it was very picky about how we had the exclusions written.
You set the name to the full path to the executable you want to exclude, and then you set the data to "0". (we had no luck just using the executable by itself)
So when all is said and done, what populates into registry are REG_SZ keys where the name is the full path, and the data value shows 0. Been working for us for many months now.- pbarnzCopper ContributorSetting with just the exe file name, e.g. mt.exe. Part of the problem is this is all managed centrally by our IT and for a global/shared profile, it would be problematic to specify full paths. But they did put me in "troubleshooting mode" where I could add exceptions locally for a while, and adding the full paths made no difference. It appears that Advanced Threat Protection does not use these exclusions, it is managed separately.