Update troubleshoot-performance-issues.md

denisebmsft · denisebmsft · commit 1b80f315b57b · 2025-01-09T12:04:04.000-08:00
diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md
@@ -36,11 +36,11 @@ As an admin, you can also troubleshoot these issues on your own.
 
 First, you might want to check if the issue is caused by other software. Read [Check with the vendor for known issues with antivirus exclusions](#check-with-the-vendor-for-known-issues-with-antivirus-products).
 
-## Common reasons for higher cpu utilization by Microsoft Defender Antivirus:
+## Common reasons for higher CPU utilization by Microsoft Defender Antivirus
 
-|#|Common reason for higher cpu utilization|Information|Solution |
-| -------- | -------- | -------- | -------- |
-|1|Binaries not being signed (.exe's, .dll's, .ps1, etc…)  |Anytime that a binary (.exe's, .dll's, .ps1, etc…) are launched/started, if they are not digitally signed, we will go ahead and do a real-time protection (rtp) scan and/or scheduled scan and/or on-demand scan.|You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries.  And/or reaching out to the vendor so they could sign the binary (EV code signing).  We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/en-us/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor or if it's an inhouse built application/service/script, the software can be submitted through the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper). Work-around: 1) (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) 2) (Alternative) 2) Add [AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus).  |
+| Reason | Solution |
+| -------- | -------- |
+|1: **Binaries not signed** (.exe's, .dll's, .ps1, etc…) <br/><br/>Anytime that a binary ( such as `.exe`, `.dll`, `.ps1`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan, scheduled scan, and/or on-demand scan. | You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries.  And/or reaching out to the vendor so they could sign the binary (EV code signing). <br/><br/>We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/en-us/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper). <br/><br/>As a work-around, you can follow these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) Add [AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus).  |
 |2|Using HTA's, CHM's and different files as databases.|Anytime that MDAV needs to extract and/or scan complex file formats, higher cpu utilization can occur.|Look at using actual databases, if you need to save info and query it. Work-around: Add [AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)|
 |3|Using obfuscations on scripts|If you obfuscate scripts, MDAV in order to check if the script contains malicious payloads, it can use more cpu utilization while scanning.|Only use script obfuscation if really necessary.  Work-around: Add [AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)|
 |4|Not letting the MDAV cache finish before sealing the image.  |If you are creating a VDI image such as for a non-persistent image, make sure that the 'cache maintenance' completes before the image is sealed. |Review: [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)|
