Forum Discussion
Defender for Endpoint (mssense.exe) locking files and causing issues
Hi,
We have encountered an issue with one of our applications whereby every time the application downloads a file from the application server, mssense.exe creates a RWD lock on the file very briefly but long enough to cause the application to throw an error when trying to access the file.
This has been confirmed by observing procmon data and the output from sysinternals handles.exe.
Considering that this doesn't exactly trigger an alert in Defender for Endpoint, how would I go about preventing the scanning of this application's directory?
thank you
The issue has been resolved, in the end it wasn't the file locks or anything to do with Defender. It was an issue with the application. Got it working without needing to change anything in Defender.
Thanks for all the help regardless.
9 Replies
The issue has been resolved, in the end it wasn't the file locks or anything to do with Defender. It was an issue with the application. Got it working without needing to change anything in Defender.
Thanks for all the help regardless.
- MS Support ticket. They manage EDR Exclusions, but recently have enabled EDR Exclusions in your tenant if you ask nicely 🙂
I know all too well the pains of locked files from MsSense. Adding the paths from procmon which resolved for us. - MSSense is the primary process for the functions of MDE outside of antimalware scanning. It isn't surprising that it might look at new files on the system, it is gathering information on the files like hash, digital signatures, etc. As far as I know, there is no exclusion that applies to this functionality, though I did see in a posting about this issue from a few years ago that Microsoft support has the ability to create exclusions for this. I say try opening a case.
MoMo1980 hi you can exclude the folder of your application from the automated investigation in MDE Settings Manage automation folder exclusions | Microsoft Learn
- No this unrelated to AIR. EDR Exclusions are needed.
- I am also receiving a similar issue with our build process. Adding the folder that is used for the build to the exclusions didn't stop mssense.exe from accessing them. I can see that mssense.exe is still accessing files under the excluded directory using resource monitor.
