Mar 22 2022 01:33 PM
After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly.
There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?
Mar 23 2022 02:32 AM
Exactly the same scenario and seeing the same issue.
Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe
Mar 23 2022 07:56 AM
@Baileycol MS just acknowledged via my support ticket that this a new known bug with no workaround other than offboarding the modern unified solution and installing the MMA sensor. Ugh
Be prepared if you choose to do that, there is also a known issue for repeatedly crashing Sense, but at least appears there is a work-around for that. More Ugh. Plan to test this today.
"Currently, if you choose to offboard and uninstall the modern, unified solution and re-onboard the previous MMA-based EDR sensor, you may encounter repeated MsSenseS.exe crashes."
Quoted from:
Mar 23 2022 09:07 AM
Apr 01 2022 02:11 PM
Seeing the same thing.
Apr 06 2022 06:04 AM
@watercoold - thx for posting this. Do you know if MS has plans for resolving the issue? Also may I have the support ticket Id for reference?
Thanks again
Br
Lars
Apr 12 2022 06:14 AM
Apr 12 2022 08:21 AM
Apr 12 2022 08:22 AM
Apr 12 2022 08:25 AM
Apr 12 2022 08:25 AM
Apr 12 2022 08:28 AM
In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe
Apr 12 2022 08:29 AM
Apr 12 2022 08:31 AM
Apr 12 2022 08:32 AM
Apr 12 2022 08:40 AM
@PaulHb Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already :)
May 13 2022 08:12 AM
Hi there,
I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065
Any updates on this issue?
/Kenneth
May 13 2022 08:29 AM
May 13 2022 08:34 AM
May 13 2022 11:12 AM