Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Process exclusions not working for MSSense.exe

Copper Contributor

I have an issue where builds often fail due to sharing violations caused by defender.

The sequence is:

  • link.exe (MS VC++) creates the exe file being built
  • MsSense.exe opens the exe file just built for scanning
  • mt.exe (MS VC++ manifest tool) is executed to embed a manifest in the exe being built
  • mt.exe fails to open the exe file due to a sharing violation.

I've confirmed with procmon that MsSense.exe is opening this exe file in between our link and manifest steps and causes the sharing violation.

 

I've tried adding process exclusions for link.exe and mt.exe with no change to the result. Also tried adding folder exclusions for the directory containing the source tree, also no help.

 

It appears that MsSense.exe is part of Advanced Threat Protection and that Defender exclusions do not apply to that. I've searched high and low for how to fix this problem with no luck.

 

Looking for ideas/pointers on how to add exceptions to ATP .

6 Replies

@pbarnz When i raised a support case on this only the product team can add exclusions for ATP. Its done for the whole tenant too and it took weeks before they finally added it.

 

Apparently there is update coming where we can add them ourselves but its still in preview (or so the engineer told me).

Same issue here. Our nightly builds are failing almost every day apparently for the same reason. In our case, it seems to fail randomly at different modules each day. Process Monitor also shows MsSense and from time to time MsMpEng accessing and locking some of the generated files.

@pbarnz 

 

We're facing the same issue in our company. We're seeing it more often on slower machines.

A colleague suggested to use MT_EXECUTE_DELAY=1000 environment variable.

Where should we set it? We also hvae the same issue
How are you setting your process exclusions?
I know in our case (using group policy) it turned out it was very picky about how we had the exclusions written.
You set the name to the full path to the executable you want to exclude, and then you set the data to "0". (we had no luck just using the executable by itself)

So when all is said and done, what populates into registry are REG_SZ keys where the name is the full path, and the data value shows 0. Been working for us for many months now.
Setting with just the exe file name, e.g. mt.exe. Part of the problem is this is all managed centrally by our IT and for a global/shared profile, it would be problematic to specify full paths. But they did put me in "troubleshooting mode" where I could add exceptions locally for a while, and adding the full paths made no difference. It appears that Advanced Threat Protection does not use these exclusions, it is managed separately.