You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-performance-issues.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,19 +56,19 @@ First, you might want to check if other software is causing the issue. Read [Che
56
56
| Scheduled scanning |Check your default scheduled scan settings<br/><br/>**General scheduled scan settings**.<br/><br/>- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans). <br/>The thread priority in Windows for normal scans has two values: `8` (lower) and `9` (higher). By setting this to `enabled`, you're lowering the scheduled scan thread priority from `9` to `8`, which enables other application threads to run with a higher priority, thus getting more cpu time than Microsoft Defender Antivirus. <br/><br/>- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan). `50` is the default setting; you can lower it to `20` or `30`. <br/>If you have a change control window, by modifying the amount of cpu that can be used causes the scan to take longer. <br/><br/>- Start the scheduled scan only when computer is on but not in use by setting `ScanOnlyIfIdle` to `Not configured` (it's enabled by default). <br/>It requires the machine to be idle, meaning the cpu usage overall of the device has to be lower than 80%. <br/><br/>**Daily quick scan settings**<br/><br/>- Set `Specify the interval to run quick scans per day` to `Not configured` (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours)<br/><br/>- Set `Specify the time for a daily quick scan (Run daily quick scan at)` to `12 PM`. <br/><br/>**Run a weekly scheduled scan (quick or full) settings** <br/><br/>- Specify the scan type to use for a scheduled scan (Set `Scan type` to `Not configured`). <br/><br/>- Specify the time of day to run a scheduled scan (Set `Day of week to run scheduled scan` to `Not configured`). <br/><br/>- Specify the day of the week to run a scheduled scan (Set `Time of day to run a scheduled scan` to `Not configured`). |
57
57
| Scan after a security intelligence update.|By default, Microsoft Defender Antivirus scans after a security intelligence update for optimal protection purposes. If scheduled scans are enabled, you might think that there are scans that are run outside of the schedule. This is where you, and your leadership team will have to make a decision, of having more security or less cpu utilization. <br/><br/>As a workaround, in Group Policy (or another management tool, such as MDM), go to **Computer Configuration** > **Administrative Templates** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**, and set **Turn on scan after security intelligence update** to `Disabled`. |
58
58
| Conflicts with other security software | If you have non-Microsoft security software, such as antivirus, EDR, DLP, endpoint privilege management, VPN, and so on, add the that software to the Microsoft Defender Antivirus exclusions (path + processes), and vice-versa.<br/><br/> To get the list of the Microsoft Defender Antivirus binaries, see [Configure your network environment to ensure connectivity with Defender for Endpoint service](/defender-endpoint/configure-environment). |
59
-
| Scanning a large number of files or folders | If you have a big file such as an .iso, .vhdx, and so on sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there is additional latency compared to files stored locally on a device.<br/><br/>If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). |
59
+
| Scanning a large number of files or folders | If you have a big file such as an .iso, .vhdx, and so on, sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there's more latency compared to files stored locally on a device.<br/><br/>If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). |
60
60
61
61
## What's triggering and causing the higher cpu utilization in Microsoft Defender Antivirus.
62
62
63
-
Now, if you have gone thru the proactive steps, next is to find what's triggering and causing the higher cpu utilization:
63
+
Now, if you have gone through the proactive steps, next is to find what's triggering and causing the higher cpu utilization:
64
64
65
65
66
66
| #|Tools to help narrow down what's triggering the high cpu utilization|Comments|
67
67
| -------- | -------- | -------- |
68
68
|1 |[Collect Microsoft Defender Antivirus diagnostic data](/defender-endpoint/collect-diagnostic-data)|Microsoft Defender Antivirus diagnostic data that you want to include whenever troubleshooting an issue with Microsoft Defender Antivirus.|
69
-
|2|[Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)|For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. Note: Please make sure that the issue is reproducing when you collect this data.|
70
-
|3|[Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)|If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high cpu utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. Note: Please make sure that the issue is reproducing when you collect this data.|
71
-
|4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI)|In cases of a more advanced troubleshooting needed, you can use the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Tip: Due to the verbosity of this trace, keep it to 3 to 5 minute max. Note: Please make sure that the issue is reproducing when you collect this data.|
69
+
|2|[Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)|For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. Note: Make sure that the issue is reproducing when you collect this data.|
70
+
|3|[Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)|If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high cpu utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. Note: Make sure that the issue is reproducing when you collect this data.|
71
+
|4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI)|In cases of a more advanced troubleshooting needed, you can use the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Tip: Due to the verbosity of this trace, keep it to 3 to 5 minute max. Note: Make sure that the issue is reproducing when you collect this data.|
72
72
73
73
## Check with the vendor for known issues with antivirus products
74
74
@@ -78,7 +78,7 @@ We recommend that software vendors follow the various guidelines in [Partnering
78
78
79
79
**Q**: Should I use the "EstimatedImpact" in the Microsoft Protection Log C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-xxxxxxxx-xxxxxx.log?
80
80
81
-
**A**: No, we do not support looking anything in the MPLog.log, please use the tools mentioned "What's triggering and causing the higher cpu utilization in Microsoft Defender Antivirus."
81
+
**A**: No, we don't support looking anything in the MPLog.log. Use the tools mentioned in the section, [What's triggering and causing higher cpu utilization in Microsoft Defender Antivirus](#whats-triggering-and-causing-higher-cpu-utilization-in-microsoft-defender-antivirus)?
0 commit comments