Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Linux Defender Update using allot of memory up to exhaustion ?

Copper Contributor

Has anyone notice that latest Linux Defender update been using allot of memory and causing high cpu.

 

Thanks Roger.

5 Replies

We're facing the same issue. Mainly memory issues. Servers are allocating more and more RAM and will not free it, causing oom to kill business app processes. Case has been already opened in the past because we saw RAM allocation was slightly increasing over time (for example within 3 month from 800MB to 3GB) and did not free RAM - however after installing the last upgrade it increased much faster (within days). On one server (ldap) we faced an increasment of factor 10 from 1600MB to 16GB within a few days. 
CPU issues mainly caused by audisp_plugin process seemed to be resolved by adding auditd exclusions for specific processes that have been identified as top initiators via XMDEClientAnalyzer log collector.

@aldema1000 

 

Thanks for sharing. We opened a ticket with support, but we needed to restart all our Linux Agents.

 

I did find this link on Reddit and someone from Azure Support stated they open a defect. But I'm waiting for confirmation from Support. https://www.reddit.com/r/DefenderATP/comments/thb0pq/memory_consumption_in_mdatp_service_for_linux/

 

@roger_jr 

We've also restarted the defender services but the issue came back immediately (increased and 3 days later oom killed again processes). Is it stable now at your side?

@aldema1000 

 

Our Linux Team reverted to a older version: "

"I reverted the agent on one server from 101.58.80-1 back to 101.56.62-1 yesterday and we have not seen the memory issue on that server since.  It appears to be an issue specific to 101.58.80-1."

 

Still waiting for a Microsoft Support Engineer to engage for our case.

M - TAC recommended upgrading to 101.62.74 to resolve the memory/cpu issue. Basically the high cpu was a result of the memory swap caused by the memory exhaustion/leak. Our Linux Team updated to prod ver 101.62.74 and has been running in production for about a week without any memory exhaustion/leaks,

**Note to Microsoft - It would be helpful to add details into the release notes for what bugs were fixed and noted effects. This is pretty common industry practice to include the details for bug and performance fixes.**


Thanks Roger.