locked
Defender ATP Issue-Adobe and PDF's RRS feed

  • Question

  • Over the past month my company has been in the process of converting our on-prem environment over to using Microsoft Defender along with Defender ATP. All client devices are a mixture of Windows 10 1809 and 1709. 1709 machines are currently in the process of being updated. 90% of these Windows 10 machines have been enrolled into Intune for policy management as well as for the onboarding package into ATP. Over the past few weeks our Helpdesk has gotten multiple reports about users having issues with Adobe Acrobat when working with files on network shares. Also issues started with another application called 'Kofax' that performs document scanning. This application also directly writes *.TIF image files to a unc network share.

    I have performed a multitude of troubleshooting steps including making sure certain paths are excluded from Defender scanning, turning off realtime protection altogether, etc. I even found the issue still occurred when I disabled Windows Defender. This morning I decided to offboard one of the affected machines from Defender ATP, and with that the issues disappeared. I looked closely at a procmon capture during the event and the issues seemed to start with 'MsSense.exe getting an 'Access Denied' result, which was followed soon after by a 'disconnected' result to the UNC path. Then, acrobat.exe received a 'network error' and 'invalid parameter' error. So, the root of the issue seems to be that when PDF files are getting read and written to a UNC path, MsSense.exe (defender atp service) is somehow affecting the application, for whatever reason. This is also seen with an application writing *.TIF files. Has anyone seen anything like this before?
    • Edited by dgh19811 Monday, December 9, 2019 1:40 AM change background
    Thursday, December 5, 2019 8:45 PM

All replies

  • I found some new evidence. I found that the drive letter the users were writing and reading the files to was mapped with an old fashioned batch file (net use y:) deployed via gpo. That one hasn't been converted to gpo preference. If I added myself to the security group and moved my user to the OU getting the policy, if I saved the file to the mapped Y drive it also happens to me. If I perform the same exact steps while getting to the location via a gpo preference, I have no problems. Also recall if I uninstall ATP, the issue doesn't happened to the batch file mapped drive. So, ATP has an issue with PDF files mapped via batch? I'm closer to the answer at least. IT really is like CSI sometimes.
    Monday, December 9, 2019 1:38 AM