ControlUp Community

Connect, Learn, and Grow

Investigating Unusual Behavior on ControlUp VDI’s

Posted on

ControlUp experienced weird issues in their environment, where VDI’s were ignoring all policies and scanning their drive. Microsoft Defender Engine 4.8.2210.6 was identified as the cause and a rebuild was done using the latest 4.8.2211.5 engine to fix it. Other users were asked if they have experienced a similar issue. It was further clarified that the engine was not supposed to be scanning the drives but the process itself was pulling data from the PVS server. Investigations found that most systems couldn’t give the version of the process and the instances that did didn’t show any spike in I/O.

Read the entire ‘Investigating Unusual Behavior on ControlUp VDI’s’ thread below:

Hello everyone, we had some weird issues last week in our environment.

VDI’s booted from a vDisk build on the 9th of november (read-only since that date) suddenly decided to ignore all policies and started scanning their drive.

Seems to be a bug in the Microsoft Defender Engine 4.8.2210.6.

We had to do a rebuild of the release to include the latest 4.8.2211.5 engine to fix it. No policy changes or anything else triggered it so I was wondering if others noticed issues as well?

Thanks for sharing, Matthijs! I’ll keep an eye out for this issue occurring in other environments. 👍

Hey guys! Very interesting, I will go over the DB to look for traces of abnormal behavior for this build number, will report back if I get anything good

Our new build of december (Build 14th) is showing the same behavior again.

No event logs of scans started what soever.

So just to clarify, what exactly is the anomaly you’re seeing? The engine is not expected to scan the drives and it does?

If there’s a specific process for which you’re seeing increased I/O activity, please let me know the process name.

Correct. Based on the logs Defender is not scanning but the process itself (msmpeng.exe) is pulling tons of data from the PVS server.

No dice here… tried pulling the stats for msmpeng.exe, but it looks like on most of the systems it doesn’t let us grab its version so I get "no version" in the DB well I guess this is understandable behavior for an antivirus

And the instances that I do get the version from don’t show any significant spike in I/O for any version.

Continue reading and comment on the thread ‘Investigating Unusual Behavior on ControlUp VDI’s’.  Not a member? Join Here!

Categories: All Archives
Topics: , , , , , ,

Ask Us Anything, Connect, Learn, and Grow with the ControlUp Community!

Login to the ControlUp Community to ask us anything, stay up-to-date on what’s new and coming soon and meet other like-minded techies like you.

Not already a member? Join Today!