Microsoft Defender ATP for Linux 90 plus percent during full scan

%3CLINGO-SUB%20id%3D%22lingo-sub-2180231%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20ATP%20for%20Linux%2090%20plus%20percent%20during%20full%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180231%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20in%20the%20process%20of%20testing%26nbsp%3BMicrosoft%20Defender%20ATP%20for%20Linux%20and%20noted%20High%20CPU%20spike%20from%204%25%20to%2090%25%20at%20the%20start%20of%20the%20Scan.%20I%20opened%20a%20ticket%20with%20Support%20and%20they%20confirmed%20their%20is%20no%20CPU%20throttle%20for%20MDATP%20for%20Linux.%20Support%20recommended%20scan%20during%20non%20peak%20times%2C%20but%20as%20you%20can%20see%20below%20I%20haven't%20put%20the%20Linux%20Test%20Server%20under%20load%20yet.%3C%2FP%3E%3CP%3EI'm%20wondering%20if%20anyone%20else%20has%20deployed%20MDATP%20for%20Linux%20and%20what%20environment%20or%20other%20changes%20you%20made%20so%20MDATP%20wouldn't%20take%20all%20the%20CPU%20%3F%3C%2FP%3E%3CP%3EAnyone%20else%20deployed%20MDATP%20for%20Linux%20and%20enable%20full%20Scans%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScan%20off%20normal%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_0-1614728146981.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260312i326422FCABD3089A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_0-1614728146981.png%22%20alt%3D%22roger_jr_0-1614728146981.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFull%20Scan%20at%200%20Sec%2091%25%20cpu%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_1-1614728205909.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260314iF50CD85F3DE5B06F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_1-1614728205909.png%22%20alt%3D%22roger_jr_1-1614728205909.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFull%20Scan%20at%201%20MIN%2090%25%20cpu%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_3-1614728341515.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260316iA5FB5EF137BC23BF%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_3-1614728341515.png%22%20alt%3D%22roger_jr_3-1614728341515.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFull%20Scan%20at%205%20min%2092%20%25%20cpu%20with%20a%203%20load%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22roger_jr_2-1614728240900.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F260315i8538B5DE766E723E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22roger_jr_2-1614728240900.png%22%20alt%3D%22roger_jr_2-1614728240900.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Roger%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184880%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20ATP%20for%20Linux%2090%20plus%20percent%20during%20full%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184880%22%20slang%3D%22en-US%22%3EWe%20had%20a%20similar%20problem%20with%20CPU%20spikes%20crashing%20Oracle%20DB%2C%20there%20should%20be%20a%20way%20to%20throttle%20for%20unexpected%20issues.%3C%2FLINGO-BODY%3E
New Contributor

Hi Team,

 

we are in the process of testing Microsoft Defender ATP for Linux and noted High CPU spike from 4% to 90% at the start of the Scan. I opened a ticket with Support and they confirmed their is no CPU throttle for MDATP for Linux. Support recommended scan during non peak times, but as you can see below I haven't put the Linux Test Server under load yet.

I'm wondering if anyone else has deployed MDATP for Linux and what environment or other changes you made so MDATP wouldn't take all the CPU ?

Anyone else deployed MDATP for Linux and enable full Scans ?

 

Scan off normal

roger_jr_0-1614728146981.png

Full Scan at 0 Sec 91% cpu

 

roger_jr_1-1614728205909.png

Full Scan at 1 MIN 90% cpu

roger_jr_3-1614728341515.png

 

Full Scan at 5 min 92 % cpu with a 3 load

roger_jr_2-1614728240900.png

 

Thanks Roger

 

1 Reply
We had a similar problem with CPU spikes crashing Oracle DB, there should be a way to throttle for unexpected issues.