Forum Discussion
SenseNdr.exe is slowly eating the memory
Hello,
For a few days now, we have some Windows Server 2019 physical machines where almot all the memory is commited to sensendr.exe.
If you terminate sensendr.exe, the process comes back after a few minutes.
On one machine the problem came back after a little bit more than one day, on the others the problem has not come back (yet).
All the machines are patches with the 2024-09 CU.
Here is a view of the resource monitor :
On another machine :
Do you have any idea what could cause that and how to avoid it ?
We can't find any error messages that could explain the problem.
Thanks in advance for your answers
Marc
MarcVDH
I just want to report that we are experiencing the same problem.Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak after - Microsoft Community
NP pool mem should be around 14K. Memory leak is even faster on the DC.Good news !
We have an open case for this with Microsoft and we just received a mail saying they have found the root cause. The memory becomes full of captured packets (by pktmon) because sensendr is not able to process them as quickly as they arrive.
They have developed a long-term solution that, as they said, will automatically manage and release memory before it reaches a critical level of impact.
I don't have any more info about how this solution will be distributed.
- I got another mail from MS; apparently the fix is included in the October 2024 CU.
I am trying to have the permissions to patch a few servers on our side to test this now.
If someone else can test this also.
We started seeing this on 12 machines beginning 10/8. They will last a few days before running out of memory. Adding more memory only delayed the issue.
Server 2022 with both the September 2024 and October 2024 patches.
The only thing special about these machines is that they are on an isolated network using a proxy for Defender only. Anyone else in that scenario?
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus
Define proxy server for connecting to the network: enabled
Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service: enabled
Configure Connected User Experiences and Telemetry: enabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- PreferStaticProxyForHttpRequest set to REG_DWORD 0x1
MarcVDH we do see the same issues on Windows server 2022. Takes all the memory, as soon we kill SenseNDR.exe the memory usage returns to normal again.
Exclude the device for discovery, as this process is used for it, but without luck.
Installed MDE version is 10.8760.20348.2700
Thanks for your answer.
Do you have an idea when the problem started at your side ?
Here it started between on 08 October.
I have found a few posts about this problem but in each case it was the non-paged pool that was being used; in my case it is the committed memory (the non-paged pool stays 'normal').
Killing sensendr does the trick at the moment but we shouldn't have to do this.
For now, we are not able to determine what triggers this problem.
MarcVDH This could be due to a combination of things like your current scan policies, suspicious files on the devices. I would start by checking the devices for malware, incompatible applications. You can also run an MDE performance analyzer to gather more details.
- Hello, thanks for your answer.
We already ran the performance analyzer when the problem is occuring and when it is not and the recordings show no difference.
There was no report about any incident on these servers.
There was no problem for 1.5 day. Yesterday evening, 3 machines started to show signs of the problem again; during the night another one started to also show the problem.
At the moment we have 4 machines where sensendr.exe has 31.8GB of committed memory and this number is slowly growing.
