Microsoft Defender ATP: mssense.exe is creating Extended Attributes! RRS feed

  • Question

  • I support a product that uses a file system feature called "reparse points". I am getting a report that on Server 2019 our product can't manage certain files because an MS process: (MsSense.exe) is writing extended attributes to files. You can't have extended attributes AND reparse points on the same file.

    This is VERY surprising since I was under the impression that extended attributes were being deprecated. For instance, the newer file system, ReFS, does not support extended attributes at all.

    I have been experimenting with S2019 and ATP but I can't get it to reproduce the same behavior that the customer sees.

    One difference: their ATP is centrally managed by SCCM and I'm using a stand-alone server.

    Does anyone have any information on the use of extended attributes in ATP? Specifically: what configuration setting is enabling this behavior and how to get it to stop doing that!


    Tuesday, May 19, 2020 1:47 PM

All replies

  • You can disable scans in reparse points by policy, check the article: Configure Microsoft Defender Antivirus scanning options

    I was not able to paste the URL, sorry.

    Tuesday, June 16, 2020 7:08 PM
  • Thanks for the reply, but that is not my problem.

    My problem is that ATP seems to be setting Extended Attributes on files. This is crazy behavior.

    There is no documentation on this that I can find. I need to find a way to prevent ATP from writing EAs.

    By the way, my customer "solved" the problem by reformatted the volume to ReFS. Works great since ReFS doesn't support EAs. This is not really a solution, though.

    If it helps, the EA tag that is created is: $KERNEL.PURGE.SEC.FILEHASH


    Tuesday, June 16, 2020 7:55 PM