Forum Discussion
SenseNdr.exe is slowly eating the memory
Hello,
For a few days now, we have some Windows Server 2019 physical machines where almot all the memory is commited to sensendr.exe.
If you terminate sensendr.exe, the process comes back after a few minutes.
On one machine the problem came back after a little bit more than one day, on the others the problem has not come back (yet).
All the machines are patches with the 2024-09 CU.
Here is a view of the resource monitor :
On another machine :
Do you have any idea what could cause that and how to avoid it ?
We can't find any error messages that could explain the problem.
Thanks in advance for your answers
Marc
Finally the problem seems to be solved for us, MS informed us that the second fix included was also for the non-paged pool memory problem.
It has been a week now and everything is running fine.Case closed :)
So on the Admin page says fix was deployed and service was restored.... But says nothing about if we have to install something to fix this or what not? Did your issues just stop or are they still happening?
Our issues seem to have cleared up, and there was no action required on our part. I'm keeping our Microsoft ticket open until 11/18 out of an abundance of caution.
Same here, no problem for a few days now but we are also keeping the case open because on almost all our machines the problem was taking a few days to re-appear.
We were having same issue too and opened a ticket with Microsoft and Microsoft recommended we migrate by
a. Disable the capability that was enabled in the oct updates
b. introduce the GroupID called "NDROFF" for customers to use on impacted devices. This will cause delivery of configuration that turns off the SenseNDR component that is causing the impact, thus resolving the issue without offboarding the entire machine.
Run PowerShell to add
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v Grouplds /d NDROFF /f
without SenseNDR, then ATP works ? is there any other mechanism to keep monitor that node.
Wondering if this actually works and what you added for the exclusion? I tried adding the process called SenseNdr.exe but didnt see any change in this. thanks for your post!
For us, we are still continuing the testing with Microsoft because the problem is not solved. We have still machines who are experiencing the problem randomly.
It is still happenning only on machines with high network usage.
The only thing that has change is the speed at which sensendr.exe commit the memory (much faster now).You can track the issue via https://admin.microsoft.com/ .
Under Health > Service health can see the updates from Microsoft.
Received this from a colleague. Unfortunately this page is not publicly available, you need admin rights for this.I do experience the same memory performance issue, on all the endpoints.
I don't know if it is linked to the fix they have deployed but the problem just got worse now.
Before today, sensendr.exe was taking between 12 to 20 hours to have 60GB of commited memory.
This evening, I just got 4 machines where the problem occured and it took less than 3 hours to commit the same amount of memory !!I have sent new logs to MS to troubleshoot this problem.
In the meantime I think I will recreate the scheduled task to kill sensendr every hour.
An alert was posted last night:
Some admins' Microsoft Defender for Endpoint enrolled Windows Server devices may experience performance issues
ID: DZ917720
Issue type: Advisory
Unfortunately someone from the another thread reported memory leak issue today after this annoucement with Dfe version 10.8779.05.11.2024.hotfix.ww.2024.11.05.02-57DEE
Thank you so much for sharing! I'm glad this has finally been acknowledged by Microsoft.
Can you share the link? Found nothing on search engines.
- Has there been any movement on your Microsoft ticket? We also have a Microsoft ticket open; we've provided logs and screenshots as requested, but no significant progress has been made.
- Yes, I was contacted by Microsoft yesterday.
They are going to push the new solution within 48hrs from the backend worldwide and that there is no further action needed from our side.
I will wait until monday and then I will remove our scheduled task to kill sensendr and we will see how it goes.
Fingers crossed.- Thanks for the update! We’re experiencing the same issue, so it’s reassuring to hear Microsoft is implementing a fix. If you don’t mind, please let us know if it resolves the issue on your end. Fingers crossed
- I am also impacted by this. I will try rebooting my DC every 24 hours to help.
ComputerGuy77 you don't need to reboot your machines, just kill the process (it will be re-launched automatically a few seconds after).
MarcVDH You do if you cant RDP the machine due to low RAM, and no physical access......exactly like what happened to me....
