Forum Discussion
Microsoft Defender ATP for Linux 90 plus percent during full scan
Hi Team, we are in the process of testing Microsoft Defender ATP for Linux and noted High CPU spike from 4% to 90% at the start of the Scan. I opened a ticket with Support and they confirmed thei...
I recommend opening a ticket with TAC and they can engage Engineering for needed commands to RCA:
The Load and CPU performance problems we encountered was caused by the mdatp_audisp_plugin when it ingest data from the audit logs.
There is a workaround to add exclusions so the mdatp_audisp_plugin stops ingesting data from the excluded applications. But you will need TAC guidance to properly put it in place.
This issue we saw was very inconsistent and only effected a handful of Linux Servers. In our case we could have the same Linux Servers running the same Applications and one would have the issue
and the other wouldn’t.
Per Microsoft they were looking at incorporating the fix on CY21Q4, but it might be CY22Q1.
101.29.64 - also help improve some unrelated Linux performance issues, but every issue unique, and going to Microsoft TAC is your best course of action.
The Load and CPU performance problems we encountered was caused by the mdatp_audisp_plugin when it ingest data from the audit logs.
There is a workaround to add exclusions so the mdatp_audisp_plugin stops ingesting data from the excluded applications. But you will need TAC guidance to properly put it in place.
This issue we saw was very inconsistent and only effected a handful of Linux Servers. In our case we could have the same Linux Servers running the same Applications and one would have the issue
and the other wouldn’t.
Per Microsoft they were looking at incorporating the fix on CY21Q4, but it might be CY22Q1.
101.29.64 - also help improve some unrelated Linux performance issues, but every issue unique, and going to Microsoft TAC is your best course of action.
Also we scheduled scans during non peak and non impacting hours of operations.
