Automated investigation - Get Process List action pending / time out

Brass Contributor

Hi all

 

We have recently deployed Windows Defender ATP and have been on boarding machines successfully and carrying out various test without issues. 

 

In the last couple of weeks Defender ATP has alerted and kicked of an automatic investigation following Windows Defender AV detecting and blocking 2 instances of malware. Both investigations completed with the exception of the Get Process List Action which attempts to run for a long period and then changes status to:  Queued - The action is waiting to be executed on the machine with the following error: Waiting for SenseIR Activation

 

All other actions in the investigation complete as expected, in the machine event log I can see the action being kicked off, but nothing else related to the action, and no other errors: Starting action GetProcessListAction. Action ID: iaid_270_get_process_list__6_1552

 

Has anyone else seen this or have any idea of why the action seems to be blocked?

 

Update: the action times out and the investigation is only partially completed with the following output:

2019-03-14 09_07_11-Automated Investigation graph - Windows Defender ATP.png2019-03-14 09_07_46-Automated Investigation log - Windows Defender ATP.png

 

 

4 Replies

@Adrian Harper have you solved this issue? We have the same problem!

@Davide Salsi - Unfortunately not despite a post here, a bug report to the development team (on the advice of MS employees at a tech event), direct support request etc.

@Adrian Harper 

 

Regarding the issue you are having:

This was fixed in 1903 and later OS Builds 18362.997 and 18363.997) - https://support.microsoft.com/en-us/help/4559004

Fixed for 1809 (OS Build 17763.1369)  - https://support.microsoft.com/en-us/help/4559003

This was fixed in 1903 and later OS Builds 18362.997 and 18363.997) - https://support.microsoft.com/en-us/help/4559004

Fixed for 1809 (OS Build 17763.1369) - https://support.microsoft.com/en-us/help/4559003