cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

watercoold
New Contributor

‎Mar 22 2022 01:33 PM

‎Mar 22 2022 01:33 PM

Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly. 

 

There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?

7,535 Views
1 Like
25 Replies
Reply
25 Replies
Baileycol

‎Mar 23 2022 02:32 AM

‎Mar 23 2022 02:32 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

@watercoold 

 

Exactly the same scenario and seeing the same issue. 

 

Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe

0 Likes
Reply
watercoold

‎Mar 23 2022 07:56 AM

‎Mar 23 2022 07:56 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

@Baileycol MS just acknowledged via my support ticket that this a new known bug with no workaround other than offboarding the modern unified solution and installing the MMA sensor. Ugh

 

Be prepared if you choose to do that, there is also a known issue for repeatedly crashing Sense, but at least appears there is a work-around for that. More Ugh. Plan to test this today. 

 

"Currently, if you choose to offboard and uninstall the modern, unified solution and re-onboard the previous MMA-based EDR sensor, you may encounter repeated MsSenseS.exe crashes."

 

Quoted from:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints...

0 Likes
Reply
Baileycol

‎Mar 23 2022 09:07 AM

‎Mar 23 2022 09:07 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

@watercoold 

 

Appreciate the update and the heads up. What a pain!

0 Likes
Reply
Jeffrey

‎Apr 01 2022 02:11 PM

‎Apr 01 2022 02:11 PM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Seeing the same thing.

0 Likes
Reply
Lars Villaume Jørgensen

‎Apr 06 2022 06:04 AM

‎Apr 06 2022 06:04 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

@watercoold - thx for posting this. Do you know if MS has plans for resolving the issue? Also may I have the support ticket Id for reference? 

Thanks again 

Br

Lars

0 Likes
Reply
Ciyaresh

‎Apr 12 2022 06:14 AM

‎Apr 12 2022 06:14 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

We are having the same issue. Defender is using all the available CPU/memory it can find.
0 Likes
Reply
PaulHb

‎Apr 12 2022 08:21 AM

‎Apr 12 2022 08:21 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Hi, this has been fixed for a while now to ensure you can in fact roll back if needed.
0 Likes
Reply
PaulHb

‎Apr 12 2022 08:22 AM

‎Apr 12 2022 08:22 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

This should be (have been) addressed through a configuration update.
0 Likes
Reply
Ciyaresh

‎Apr 12 2022 08:25 AM

‎Apr 12 2022 08:25 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

what's the rollback process? I have only deployed the agents on our test machines @ 28/03/2022 and we are seeing this issue. I deployed them using the Windows Server 2012 R2 and 2016 (Preview) option and then using a local script.
0 Likes
Reply
PaulHb

‎Apr 12 2022 08:25 AM

‎Apr 12 2022 08:25 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Hi, this thread is mentioning MsSense.exe - when you say "Defender" are you referring to msmpeng.exe (AV) or MsSense.exe (EDR)? If AV, please ensure you test with exclusions - using all the available CPU/memory is not an expected issue unless there is something causing interference (typically, other security software).
0 Likes
Reply
Ciyaresh

‎Apr 12 2022 08:28 AM

‎Apr 12 2022 08:28 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

@PaulHb 

 

In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe

Ciyaresh_0-1649777314420.png

 

 

0 Likes
Reply
PaulHb

‎Apr 12 2022 08:29 AM

‎Apr 12 2022 08:29 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Hi - you just missed my other message. Rollback is only applicable if you were running the previous solution: otherwise, running the offboarding script and then uninstalling will do the trick.
0 Likes
Reply
PaulHb

‎Apr 12 2022 08:31 AM

‎Apr 12 2022 08:31 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

If you haven't already, please update using the latest KB5005292 to get to Sense version 10.8048.22439.1065
0 Likes
Reply
PaulHb

‎Apr 12 2022 08:32 AM

‎Apr 12 2022 08:32 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Please make sure you are on the latest Sense version 10.8048.22439.1065 (https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f6...) - if this doesn't help and you have a working repro it would help a lot if you could open a support case to help investigate.
0 Likes
Reply
Ciyaresh

‎Apr 12 2022 08:40 AM

‎Apr 12 2022 08:40 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

@PaulHb Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already :) 

 

Ciyaresh_0-1649777973082.png

 

0 Likes
Reply
Kenneth van Surksum

‎May 13 2022 08:12 AM

‎May 13 2022 08:12 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Hi there,

 

I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065 

 

2022-05-13_16-56-09.png

 

Any updates on this issue?

 

/Kenneth

0 Likes
Reply
PaulHb

‎May 13 2022 08:29 AM

‎May 13 2022 08:29 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Hi Kenneth! This should no longer occur. Please open a support ticket.
0 Likes
Reply
Ciyaresh

‎May 13 2022 08:34 AM

‎May 13 2022 08:34 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Check if the diagtrack service is disabled. If it is, enable on all servers and set it to auto load when system starts.
0 Likes
Reply
Kenneth van Surksum

‎May 13 2022 11:12 AM

‎May 13 2022 11:12 AM

Re: Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Thanks for the quick response all.

 

@Ciyaresh Verified, service is running on all servers and set to automatic

@PaulHb I'll advise my customer to create a support ticket

 

/Kenneth

0 Likes
Reply