Oct 11 2019 02:22 PM
Oct 11 2019 02:22 PM
We have started to see issues creep up with MsSense.exe reading network files while one of our applications is trying to open the files off a network location. In the past this hasn't caused issues but now we are starting to get file conflicts with both ATP and our application trying to access the file at the same time.
I know you can add exclusions to Windows Defender but as far as I can tell those do not apply to ATP. The closest thing I have found for trying to exclude MsSense.exe from scanning specific folders or files is automation folder exclusions which according to the Microsoft docs this it can be used to exclude folders from the automated investigation. Not sure if Automated investigation is what is being run by MsSense.exe.
Can someone point me to documentation of how to exclude a folder or file(s) from being scanned/monitored by ATP?
Oct 20 2020 02:43 AM
@Dane_BHave you ever found a solution for your issue? I'm experiencing the same thing
Oct 21 2020 08:00 AM
@Michiel_Singor No we ended up working with MS support and they added a custom whitelist on the backend. Things may have changed since then though I dont know. I dont use ATP I was just doing research as we are a software vendor with clients that use it.
Oct 21 2020 08:29 AM
May 10 2021 09:33 AM - edited May 10 2021 09:34 AM
Also curious here. The exclusions for the automated response portion does not actually seem to exclude it from scanning that folder. Custom indicators also does not seem to solve the issue for us, as our hashes are not staying the same day to day as we continue to develop items. It's great that Defender AV can actually exclude a folder, but it's becoming troublesome that EDR/ATP is still hitting heavily on those locations. Did anyone here ever find an answer?
Jun 14 2021 04:39 PM - edited Jun 14 2021 04:49 PM
@Bennett- We also have the same issue. We have Microsoft Endpoint Manager with Intune, and we have a TeamCity build server where we call sysinternals handle.exe and we can clearly see that mssense.exe has an open file handle to a *.nupkg in our build pipeline, which causes MSBuild to fail.
Here is what I have figured out so far. Add-MpPreference does nothing to stop this problem from happening. The following two documentation links support that it won't stop this problem. However, I can't find documentation explaining how to stop it!
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-demand scans.
Note: We don't have real-time monitoring enabled.
Also, see the very top IMPORTANT message on https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-e...
Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including endpoint detection and response (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint custom indicators.
Separately, when I run Get-MpComputerStatus in PowerShell, the last QuickScan was two days ago, indicating that Mp is completely separate from Windows Defender ATP.
Separately, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defend... appears to be incorrect. It lists SenseIR.exe as the executable for Windows Server 2019. We're using Windows Server 2019 Datacenter Edition and the executable giving us fits is MsSense.exe. Both are in the same directory on our version of Windows.
Separately, I added a pull request just now to update the documentation in one area, since for some reason dotnet.exe isn't encouraged to NOT be excluded. https://github.com/MicrosoftDocs/microsoft-365-docs/pull/5320
Additional Tags: WDATP, Windows Defender ATP, Advanced Threat Protection Sense
Jun 14 2021 05:27 PM
I also think this cannot be coming from ASR (Attack Surface Reduction) feature. The reason is if I remote into the machine with the problem, and run:
Get-MpPreference | Select AttackSurfaceReductionOnlyExclusions,AttackSurfaceReductionRules_Actions,AttackSurfaceReductionRules_Ids
The output is:
AttackSurfaceReductionOnlyExclusions AttackSurfaceReductionRules_Actions AttackSurfaceReductionRules_Ids ------------------------------------ ----------------------------------- -------------------------------