Forum Discussion

jbmartin6's avatar
jbmartin6
Iron Contributor
Nov 16, 2022

SenseNDR.exe consistently using 10-20% of CPU

We've deployed MDE to a subset of our workstation, and found that SenseNDR.exe consistently uses 10-20% of CPU even on idle machines. Does anyone know what role SenseNDR plays within MDE and why it needs all this CPU? We aren't gong to be able to deploy MDE across the rest of our enterprise with this big a CPU hit. 

I dug around for a while, and it seems that SenseNDR is involved in device discovery, though if it serves other functions I can't say. Is it possible to fully disable Device Discovery since we have no use for it? 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    We were able to reduce it somewhat by globally disabling device discovery.
  • SamsonAzure's avatar
    SamsonAzure
    Copper Contributor

    jbmartin6 

    In the task manger Identified Sense NDR module process (Windows Defender Advanced threat Protection - Sence NDR Module) was taking high CPU -->Did right click on task and went to affinity unchecked all the CPU selected and only allocated 1 CPU that resolved the high CPU utilization isue 

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      That would work until the next reboot, and doesn't scale at all across thousands of users. Is there a way to enforce affinity across reboots via GPO?
    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      Not totally. We did reduce it quite a bit by turning off device discovery, but otherwise I think it has to be accepted as part of the tool. Judging from SenseNDR's command line, this is where MS incorporated Zeeke IDS functionality, so a lot of the traffic inspection and tagging relies on this process, such as detecting named pipes and LDAP queries.

Resources