Microsoft Defender ATP for Linux 90 plus percent during full scan

%3CLINGO-SUB%20id%3D%22lingo-sub-2180231%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20ATP%20for%20Linux%2090%20plus%20percent%20during%20full%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180231%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20in%20the%20process%20of%20testing%26nbsp%3BMicrosoft%20Defender%20ATP%20for%20Linux%20and%20noted%20High%20CPU%20spike%20from%204%25%20to%2090%25%20at%20the%20start%20of%20the%20Scan.%20I%20opened%20a%20ticket%20with%20Support%20and%20they%20confirmed%20their%20is%20no%20CPU%20throttle%20for%20MDATP%20for%20Linux.%20Support%20recommended%20scan%20during%20non%20peak%20times%2C%20but%20as%20you%20can%20see%20below%20I%20haven't%20put%20the%20Linux%20Test%20Server%20under%20load%20yet.%3C%2FP%3E%3CP%3EI'm%20wondering%20if%20anyone%20else%20has%20deployed%20MDATP%20for%20Linux%20and%20what%20environment%20or%20other%20changes%20you%20made%20so%20MDATP%20wouldn't%20take%20all%20the%20CPU%20%3F%3C%2FP%3E%3CP%3EAnyone%20else%20deployed%20MDATP%20for%20Linux%20and%20enable%20full%20Scans%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScan%20off%20normal%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_0-1614728146981.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260312i326422FCABD3089A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_0-1614728146981.png%22%20alt%3D%22roger_jr_0-1614728146981.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFull%20Scan%20at%200%20Sec%2091%25%20cpu%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_1-1614728205909.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260314iF50CD85F3DE5B06F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_1-1614728205909.png%22%20alt%3D%22roger_jr_1-1614728205909.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFull%20Scan%20at%201%20MIN%2090%25%20cpu%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_3-1614728341515.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260316iA5FB5EF137BC23BF%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_3-1614728341515.png%22%20alt%3D%22roger_jr_3-1614728341515.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFull%20Scan%20at%205%20min%2092%20%25%20cpu%20with%20a%203%20load%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_2-1614728240900.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260315i8538B5DE766E723E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_2-1614728240900.png%22%20alt%3D%22roger_jr_2-1614728240900.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Roger%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184880%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20ATP%20for%20Linux%2090%20plus%20percent%20during%20full%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184880%22%20slang%3D%22en-US%22%3EWe%20had%20a%20similar%20problem%20with%20CPU%20spikes%20crashing%20Oracle%20DB%2C%20there%20should%20be%20a%20way%20to%20throttle%20for%20unexpected%20issues.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2688302%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20ATP%20for%20Linux%2090%20plus%20percent%20during%20full%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2688302%22%20slang%3D%22en-US%22%3EI%20recommend%20opening%20a%20ticket%20with%20TAC%20and%20they%20can%20engage%20Engineering%20for%20needed%20commands%20to%20RCA%3A%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Load%20and%20CPU%20performance%20problems%20we%20encountered%20was%20caused%20by%20the%20mdatp_audisp_plugin%20when%20it%20ingest%20data%20from%20the%20audit%20logs.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20a%20workaround%20to%20add%20exclusions%20so%20the%20mdatp_audisp_plugin%20stops%20ingesting%20data%20from%20the%20excluded%20applications.%20But%20you%20will%20need%20TAC%20guidance%20to%20properly%20put%20it%20in%20place.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20issue%20we%20saw%20was%20very%20inconsistent%20and%20only%20effected%20a%20handful%20of%20Linux%20Servers.%20In%20our%20case%20we%20could%20have%20the%20same%20Linux%20Servers%20running%20the%20same%20Applications%20and%20one%20would%20have%20the%20issue%3CBR%20%2F%3E%3CBR%20%2F%3Eand%20the%20other%20wouldn%E2%80%99t.%3CBR%20%2F%3E%3CBR%20%2F%3EPer%20Microsoft%20they%20were%20looking%20at%20incorporating%20the%20fix%20on%20CY21Q4%2C%20but%20it%20might%20be%20CY22Q1.%3CBR%20%2F%3E%3CBR%20%2F%3E101.29.64%20-%20also%20help%20improve%20some%20unrelated%20Linux%20performance%20issues%2C%20but%20every%20issue%20unique%2C%20and%20going%20to%20Microsoft%20TAC%20is%20your%20best%20course%20of%20action.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2688306%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20ATP%20for%20Linux%2090%20plus%20percent%20during%20full%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2688306%22%20slang%3D%22en-US%22%3EAlso%20we%20scheduled%20scans%20during%20non%20peak%20and%20non%20impacting%20hours%20of%20operations.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

 

we are in the process of testing Microsoft Defender ATP for Linux and noted High CPU spike from 4% to 90% at the start of the Scan. I opened a ticket with Support and they confirmed their is no CPU throttle for MDATP for Linux. Support recommended scan during non peak times, but as you can see below I haven't put the Linux Test Server under load yet.

I'm wondering if anyone else has deployed MDATP for Linux and what environment or other changes you made so MDATP wouldn't take all the CPU ?

Anyone else deployed MDATP for Linux and enable full Scans ?

 

Scan off normal

roger_jr_0-1614728146981.png

Full Scan at 0 Sec 91% cpu

 

roger_jr_1-1614728205909.png

Full Scan at 1 MIN 90% cpu

roger_jr_3-1614728341515.png

 

Full Scan at 5 min 92 % cpu with a 3 load

roger_jr_2-1614728240900.png

 

Thanks Roger

 

4 Replies
We had a similar problem with CPU spikes crashing Oracle DB, there should be a way to throttle for unexpected issues.
Hi Roger,

Do you still have that issue ?
What version of MDATP do you have ? You can use:
mdatp health
to get it.
I recommend opening a ticket with TAC and they can engage Engineering for needed commands to RCA:

The Load and CPU performance problems we encountered was caused by the mdatp_audisp_plugin when it ingest data from the audit logs.

There is a workaround to add exclusions so the mdatp_audisp_plugin stops ingesting data from the excluded applications. But you will need TAC guidance to properly put it in place.

This issue we saw was very inconsistent and only effected a handful of Linux Servers. In our case we could have the same Linux Servers running the same Applications and one would have the issue

and the other wouldn’t.

Per Microsoft they were looking at incorporating the fix on CY21Q4, but it might be CY22Q1.

101.29.64 - also help improve some unrelated Linux performance issues, but every issue unique, and going to Microsoft TAC is your best course of action.
Also we scheduled scans during non peak and non impacting hours of operations.