SOLVED

MSSENSE.EXE Exclusions - how and where

Brass Contributor

We are having file access type issues with various customers over the past week and in each case MSSENSE.EXE is the only thing accessing the files apart from our application. Note that we do not administer customer's AV ourselves - we are in the position of having to advise our customer's IT vendors on exclusions etc.
I see conflicting reports on the web as to whether MSSENSE.EXE respects folder or file extension exclusions set up for the normal AV scanning, or alternatively that it is possible but Microsoft have to do it on the 365 tenant via a support ticket. For our customers at least, MSSENSE.EXE does not seem to respect file and folder exclusions.

 

What is the definitive answer? Is it possible to exclude files\folders from MSSENSE.EXE? If so, how?

 

Thanks in advance

10 Replies
Do the devices only have Defender AV running or onboarded on Defender for Endpoint?
Mostly onboarded on Defender For Endpoint but possibly some just Defender AV, thanks.
They would have to be MDE onboarded is mssense.exe is involved. mssense is not part of regular Defender, it is started up when device is onboarded to MDE
Thanks. Is it possible to create exclusions for MSSENSE.EXE in that scenario ?
The only way I know about is to contact Microsoft support about it. There isn't an option in the customer console for it.
Thanks for your reply.

So as I understand it we have a situation where a Microsoft component with self-modifying behaviour can cause havoc with third party applications, but it might not cause the same havoc two days in a row or for two different customers, or it might cause a different type of havoc. If I were to set up a test environment to prove the issue it might not be replicable at all. And there's no way for the paying customer to turn this off.

Thanks Microsoft.

@AlanPBourke how is the enrollment done? If managed through Defender portal or Intune, then it maybe possible to configure the necessary exclusions. Also, have you tried running advanced hunting queries to check for blocking policies?

best response confirmed by AlanPBourke (Brass Contributor)
Solution

@AlanPBourke We had a similar issue with some of our apps, you will need to open a case with support to have them put the EDR Exclusion in for you.  These are separate from the AV exclusions you add in the security policies.  When you do open that ticket they will ask you to run the client analyzer tool to capture what mssense is touching, without that, they will not add the exclusion.  They are working on getting the feature added to where you can add your own without supports involvement, you might see if there is a private preview that support can add you into. 

I don't have any access to do anything in terms of Intune etc. I am in the position of having to tell our customers IT vendors what to do since they can't be bothered to do it themselves.
It sounds like EDR exclusions are needed vs AV exclusions. A majority of the issues i've seen is that its an ASR rule causing random blocks/permission issues/access denied. Check to see what kind of audits or blocks you are getting in the ASR report or if any of the applications you are experiencing issues with are showing up.
1 best response

Accepted Solutions
best response confirmed by AlanPBourke (Brass Contributor)
Solution

@AlanPBourke We had a similar issue with some of our apps, you will need to open a case with support to have them put the EDR Exclusion in for you.  These are separate from the AV exclusions you add in the security policies.  When you do open that ticket they will ask you to run the client analyzer tool to capture what mssense is touching, without that, they will not add the exclusion.  They are working on getting the feature added to where you can add your own without supports involvement, you might see if there is a private preview that support can add you into. 

View solution in original post