Dec 07 2023 12:54 AM - edited Dec 07 2023 12:55 AM
We are having file access type issues with various customers over the past week and in each case MSSENSE.EXE is the only thing accessing the files apart from our application. Note that we do not administer customer's AV ourselves - we are in the position of having to advise our customer's IT vendors on exclusions etc.
I see conflicting reports on the web as to whether MSSENSE.EXE respects folder or file extension exclusions set up for the normal AV scanning, or alternatively that it is possible but Microsoft have to do it on the 365 tenant via a support ticket. For our customers at least, MSSENSE.EXE does not seem to respect file and folder exclusions.
What is the definitive answer? Is it possible to exclude files\folders from MSSENSE.EXE? If so, how?
Thanks in advance
Dec 07 2023 01:42 AM
Dec 07 2023 01:45 AM
Dec 07 2023 06:33 AM
Dec 07 2023 06:34 AM
Dec 07 2023 06:40 AM
Dec 07 2023 06:44 AM
Dec 07 2023 10:26 AM
@AlanPBourke how is the enrollment done? If managed through Defender portal or Intune, then it maybe possible to configure the necessary exclusions. Also, have you tried running advanced hunting queries to check for blocking policies?
Dec 08 2023 08:36 AM
Solution@AlanPBourke We had a similar issue with some of our apps, you will need to open a case with support to have them put the EDR Exclusion in for you. These are separate from the AV exclusions you add in the security policies. When you do open that ticket they will ask you to run the client analyzer tool to capture what mssense is touching, without that, they will not add the exclusion. They are working on getting the feature added to where you can add your own without supports involvement, you might see if there is a private preview that support can add you into.
Dec 09 2023 07:25 AM
Dec 11 2023 03:38 AM
Dec 08 2023 08:36 AM
Solution@AlanPBourke We had a similar issue with some of our apps, you will need to open a case with support to have them put the EDR Exclusion in for you. These are separate from the AV exclusions you add in the security policies. When you do open that ticket they will ask you to run the client analyzer tool to capture what mssense is touching, without that, they will not add the exclusion. They are working on getting the feature added to where you can add your own without supports involvement, you might see if there is a private preview that support can add you into.