SOLVED

Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

New Contributor

After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly. 

 

There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?

25 Replies

@watercoold 

 

Exactly the same scenario and seeing the same issue. 

 

Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe

@Baileycol MS just acknowledged via my support ticket that this a new known bug with no workaround other than offboarding the modern unified solution and installing the MMA sensor. Ugh

 

Be prepared if you choose to do that, there is also a known issue for repeatedly crashing Sense, but at least appears there is a work-around for that. More Ugh. Plan to test this today. 

 

"Currently, if you choose to offboard and uninstall the modern, unified solution and re-onboard the previous MMA-based EDR sensor, you may encounter repeated MsSenseS.exe crashes."

 

Quoted from:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints...

@watercoold 

 

Appreciate the update and the heads up. What a pain!

@watercoold - thx for posting this. Do you know if MS has plans for resolving the issue? Also may I have the support ticket Id for reference? 

Thanks again 

Br

Lars

We are having the same issue. Defender is using all the available CPU/memory it can find.
Hi, this has been fixed for a while now to ensure you can in fact roll back if needed.
This should be (have been) addressed through a configuration update.
what's the rollback process? I have only deployed the agents on our test machines @ 28/03/2022 and we are seeing this issue. I deployed them using the Windows Server 2012 R2 and 2016 (Preview) option and then using a local script.
Hi, this thread is mentioning MsSense.exe - when you say "Defender" are you referring to msmpeng.exe (AV) or MsSense.exe (EDR)? If AV, please ensure you test with exclusions - using all the available CPU/memory is not an expected issue unless there is something causing interference (typically, other security software).

@PaulHb 

 

In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe

Ciyaresh_0-1649777314420.png

 

 

Hi - you just missed my other message. Rollback is only applicable if you were running the previous solution: otherwise, running the offboarding script and then uninstalling will do the trick.
If you haven't already, please update using the latest KB5005292 to get to Sense version 10.8048.22439.1065
Please make sure you are on the latest Sense version 10.8048.22439.1065 (https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f6...) - if this doesn't help and you have a working repro it would help a lot if you could open a support case to help investigate.

@PaulHb Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already :) 

 

Ciyaresh_0-1649777973082.png

 

Hi there,

 

I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065 

 

2022-05-13_16-56-09.png

 

Any updates on this issue?

 

/Kenneth

Hi Kenneth! This should no longer occur. Please open a support ticket.
Check if the diagtrack service is disabled. If it is, enable on all servers and set it to auto load when system starts.

Thanks for the quick response all.

 

@Ciyaresh Verified, service is running on all servers and set to automatic

@PaulHb I'll advise my customer to create a support ticket

 

/Kenneth