Forum Discussion
Microsoft Defender for Endpoint freeze Windows Server 2012 R2
Hello, We onboarded several Windows Server 2012 R2 VM and physical servers on to Microsoft Defender for Endpoint using the new onboarding package by following this doc "https://docs.microsoft.com/en-...
Hello Paul,
thank you for the reply and acknowledgment that this isn't a known issue as I was unable to find any hint on the internet.
We are already working with the support, I'll keep this post updated.
thank you for the reply and acknowledgment that this isn't a known issue as I was unable to find any hint on the internet.
We are already working with the support, I'll keep this post updated.
Hi Luca,
we are experiencing the same issue on our virtual environment. We have "3 minutes freezes" on Windows 2012 R2 servers, both while working via RDP on there servers or using applications installed on them. Freezes are random and there's no "standard" procedure to reproduce them. Disabling MDE Real Time Protection on the servers it's of great help, freezes issue disappears. We also opened a ticket to Microsoft and we are replying to their questions. We did many MDE Client Analyzer tool runs and we sent the data collected to them. I would like to share with you our knowledge. I'm looking forward for your reply. BR. Paolo
we are experiencing the same issue on our virtual environment. We have "3 minutes freezes" on Windows 2012 R2 servers, both while working via RDP on there servers or using applications installed on them. Freezes are random and there's no "standard" procedure to reproduce them. Disabling MDE Real Time Protection on the servers it's of great help, freezes issue disappears. We also opened a ticket to Microsoft and we are replying to their questions. We did many MDE Client Analyzer tool runs and we sent the data collected to them. I would like to share with you our knowledge. I'm looking forward for your reply. BR. Paolo
- Hi Paolo,
we opened a ticket for our customer and the cause of out freeze was due to the SecureWorks Red Cloak agent. The agent was installed some time ago and never manifested this behavior until MDE was installed on the servers.
If you uninstall the Red Cloak or stop the real time protection of Defender for Endpoint the freezes stops.
This has been determined after sending the VM RAM to Microsoft, actually the first thing we did when our customer notified us.
I suggest you do not reboot a frozen VM but instead collect it's RAM and pass it through the WinDBG or hand it over to Microsoft. It contains valuable information.- Hi Luca,
thank you very much for your suggestion ! We are in the middle of a transition phase between two antivirus products, Cylance Protect (former one) and MDE (new one). They both are running on many servers. Maybe there a correlation/interference and maybe the storage behaviour comes from this. We will do the RAM collection and I'll let you know.- Paul_Huijbregts
Microsoft
Hi Luca and Paolo, I think it's very important here to point out that running any security solution alongside another requires some consideration around interaction and identify then configure required exclusions or running mode.
The recommendation is firstly to avoid 2 active AV solutions (like Defender AV+Cylance) as they would both be in the real-time blocking path. Recommend running in Defender Antivirus passive mode until such time Cylance is uninstalled, unless the intent is to maintain Cylance as the AV (but we recommend running our full stack, see https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#how-microsoft-defender-antivirus-affects-defender-for-endpoint-functionality to learn about affected functionality).
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide has a lot of good information on how to switch over, including using passive mode. Paolo, I suggest investigating this approach for your scenario before opening a support case.
Then, if the other security solution is not in the blocking path (like AV), please consult the tool's documentation for suggested AV exclusions. If there are none, the performance analyzer tool (note this is not the connectivity analyzer tool) can help with identification: https://docs.microsoft.com/en-us/security/defender-endpoint/tune-performance-defender-antivirus
Turning off Defender Antivirus altogether in the context of (being onboarded to) Microsoft Defender for Endpoint is not recommended for production; either apply the right exclusions in case of interaction with non-AV, else consider passive mode to coexist with non-Microsoft antimalware solutions.
