Forum Discussion

jham01's avatar
jham01
Copper Contributor
Sep 17, 2021

MsSenseS.exe high CPU usage

Good Afternoon - We have a few servers in Azure that have extremely high CPU usage due to the "MsSenseS.exe" process. Is there anything that can be done to alleviate this? Seems like this process is related to Defender or some sort of Microsoft sensor.

 

I have opened a ticket with Microsoft Support which has not been that helpful.

  • RayOfSunshine's avatar
    RayOfSunshine
    Copper Contributor
    Why is this not a much bigger thing? We have rolled out Defender ATP with our Microsoft 365 E5 license stack and pushed this to 70+ autopilot machines as a POC for the rest of the business. All eventually started to onboard etc but it's killing the CPU with 20-30% use on the MSSense.exe (Defender ATP not the AV engine) all day every day.... what the hell is it doing? Looking at resource manager to see disk usage/files etc, it eventually shows nothing being accessed but still running at 25%.... it causes our Dell machines to overheat and the fans to go continuously..... Everywhere mentions the MsMPeng.exe but the MSSense.exe is the problem...Right Click task manager and set affinity doesn't work even if you  have full permissions because you can't interfere with the Defender ATP services, it defeats the purpose of Defender ATP....
  • hackerman138's avatar
    hackerman138
    Copper Contributor

    Yup, same problem here except our issue with with SenseNdr.exe. Surface laptops used to last 6-8 hours. They last 2 hours at most now. Horrendous and defeats the purpose of a laptop if you have to have it always plugged in. Killing productivity.

  • jham01

    This process is part of Microsoft Defender Advanced Threat Protection service.

    In case of high CPU Utilization, you can alleviate this by setting up a maximum CPU limit for the process.

    Open Task Manager

    1. Go to the Details tab
    2. Right-click on the process name MsSense.exe and select Set affinity
    3. Choose the CPU limit that you allow the process to use

  • SuperNotDuper's avatar
    SuperNotDuper
    Copper Contributor
    Completely agree. This issue is HUGE.
    I have no idea why MS havent properly addressed this and provides information to admins to curb the resources that this service devestates a VM to the extent with.

    Ofcourse a simple fix like limiting CPU limit/allocation could help, but if you've ever actually tried to do this (and not just typing it in a response on a forum post etc) then you'd know, this cannot be done as you get an error - access denied.
    • henrikmc's avatar
      henrikmc
      Copper Contributor

      SuperNotDuperI know you guys are trying to get if working properly, but I have been working on getting ATP off-boarded for month, including MS support cases etc. for the same reason and because we use Mcafee ENS. It simply uses a lot of resources all the time. I managed to get it off-boarded but now it has installed the extension again even that its not enabled in Azure. It's like a virus, hard to get rid of! And I don't think you can tamper with the priority as it has protection against that.

  • dmki1's avatar
    dmki1
    Copper Contributor
    Same problem. We need a way to turn this substandard process off, or have Azure discount of at least 50% - that's how much CPU this process eats.
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    If you look at the full command line for the MSSense process, you can see that it is the core network traffic inspection process. This is where all the Zeeke integrations are implemented. So it makes sense that it will use *some* CPU continuously, it is examining network traffic for things like named pipes, LDAP queries, etc. that all contribute to detections in MDE.

    You can reduce the CPU usage somewhat by turning off device discovery completely. This also works by inspection of network traffic, so also contributes to CPU usage by the process.

    But you can't reduce it too much beyond that since it is doing part of the core function of MDE.

Resources