Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

LpacSenseNdr Rule is added to Firewall - what is it

Steel Contributor

Hi everyone,

 

we changed on our Fortigate Firewall the interface to "LAN" allowing device discovery.

Soon after that ppl got disconnects (20s) during Teams call.

 

As i could not find it in the "Known issues" at Fortinet i got the logs from the affected clients and had a look into it. Finding this entry when the disconnect happens.

 

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
Rule ID: {60B34583-9BAF-4826-8215-77DBE05FA33F}
Rule Name: LpacSenseNdr
Origin: Local
Active: Yes
Direction: Inbound
Profiles: Private,Domain, Public
Action: Block
Application Path:
Service Name:
Protocol: Any
Security Options: None
Edge Traversal: None
Modifying User: NT SERVICE\mpssvc
Modifying Application: C:\Windows\System32\svchost.exe

 

I could not find anything on the internet - so hello Ninjas ;)

What is this rule all about? So i can rule that out ;) After we changed the interface back to "unspecified" and no inspection - everything went back to normal.

 

BR

Stephan

6 Replies

Just wanted to chime in -- we're seeing the same issue, but in our case it does interfere with Cloudflare WARP client. We have Crowdstrike Falcon installed on our endpoints, so Defender is supposed to run in passive mode, but it appears that something was changed about mid-April that made Defender not as passive as we'd like it to be.

No one got an answer to this? It should be a documented feature :)
Just to add some hints. I have currently difficulties to connect to Teams calls. It takes 30+ seconds to get in. I get this message more than 20 times per second in my security log. Throughout the day.

A change was made to the Windows Firewall exception list. A rule was added.

Profile Changed: All

Added Rule:
Rule ID: {[changes]}
Rule Name: LpacSenseNdr
I starting seeing an abundance of changes to registry on my 2019 DC's adding and removing the rule (about 300 times per day)

Removed {67574222-4E52-4ACB-B4E4-9DE6BCA4EADE} (REG_SZ): "v2.29|Action=Block|Active=TRUE|Dir=Out|Name=LpacSenseNdr|Desc=LpacSenseNdr|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-157618707-224758843-3162413466-2249835351-834486866-1672254014-2610752905|EmbedCtxt=LpacSenseNdr

Added {D16C0F23-D585-412A-B453-3E1EDE07FAB4} (REG_SZ): "v2.29|Action=Block|Active=TRUE|Dir=In|Name=LpacSenseNdr|Desc=LpacSenseNdr|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-157618707-224758843-3162413466-2249835351-834486866-1672254014-2610752905|EmbedCtxt=LpacSenseNdr|"

FWIW, I haven't found this on any of my or my employer's machines.

 

A bit of speculation, 'LPAC' in some quarters means low privilege app container, and SenseNDR is the main network inspection process for MDE. It would make sense to want to  prevent network connections to a container for SenseNDR. Maybe you have some setting that compels some extra security on SenseNDR? I can't imagine what that might be. Nor does that really explain what the link is with teams and the other issues described. 

I'm experiencing the same on one of my test machines, and when it happens (rules added) I'm unable to go on the internet. Shortly after, the same rules get deleted and everything's back to normal.