You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-performance-issues.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,12 +41,12 @@ First, you might want to check if the issue is caused by other software. Read [C
41
41
| Reason | Solution |
42
42
| -------- | -------- |
43
43
|1: **Binaries not signed** (.exe's, .dll's, .ps1, etc…) <br/><br/>Anytime that a binary ( such as `.exe`, `.dll`, `.ps1`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan, scheduled scan, and/or on-demand scan. | You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries. And/or reaching out to the vendor so they could sign the binary (EV code signing). <br/><br/>We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/en-us/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper). <br/><br/>As a work-around, you can follow these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) Add [AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
44
-
|2|Using HTA's, CHM's and different files as databases.|Anytime that MDAV needs to extract and/or scan complex file formats, higher cpu utilization can occur.|Look at using actual databases, if you need to save info and query it. Work-around: Add [AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)|
45
-
|3|Using obfuscations on scripts|If you obfuscate scripts, MDAV in order to check if the script contains malicious payloads, it can use more cpu utilization while scanning.|Only use script obfuscation if really necessary. Work-around: Add[AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)|
46
-
|4|Not letting the MDAV cache finish before sealing the image. |If you are creating a VDI image such as for a non-persistent image, make sure that the 'cache maintenance' completes before the image is sealed. |Review: [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)|
47
-
|5|Having the wrong path exclusion(s) due to misspelling|If you add misspelled exclusion paths, it can lead to performance issues.|Use MpCmdRun.exe -CheckExclusion -Path to validate path-based exclusions.|
48
-
|6|When a path exclusion is added, it works for scanning flows. |Behavior Monitoring (BM) and Network Real-time Inspection (NRI) may still cause performance issues. |Work-around: 1) (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates)2) (Alternative) 2) [Add AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus)|
49
-
|7|File hash computation|If you enable "File hash computation" which is used for Indicators - File hash - allow, there is an additional performance overhead which is [documented](/defender-endpoint/indicator-file). For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. |This is where you, and your leadership team will have to make a decision, of having more security or less cpu utilization. Solution would be to disable the File hash computation feature. Computer Configuration > Adminstrative Templates > Windows Components > Microsoft Defender Antivirus > MpEngine > Enable file hash computation features.|
44
+
|2. **Using HTA's, CHM's and different files as databases**. <br/><br/>Anytime that Microsoft Defender Antivirus must extract and/or scan complex file formats, higher CPU utilization can occur.| Consider switching to using actual databases if you need to save info and query it. <br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
45
+
|3. **Using obfuscations on scripts**. <br/><br/>If you obfuscate scripts, MDAV in order to check if the script contains malicious payloads, it can use more cpu utilization while scanning.|Only use script obfuscation if really necessary.<br/><br/>As a workaround, add[AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
46
+
|4. **Not letting the MDAV cache finish before sealing the image**.|If you are creating a VDI image such as for a non-persistent image, make sure that cache maintenance completes before the image is sealed. <br/> For more information, see [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). |
47
+
|5. **Having the wrong path exclusion(s) due to misspelling**. <br/><br/>If you add misspelled exclusion paths, it can lead to performance issues.|Use `MpCmdRun.exe -CheckExclusion -Path` to validate path-based exclusions.|
48
+
|6. **When a path exclusion is added, it works for scanning flows**. <br/><br/>Behavior Monitoring (BM) and Network Real-time Inspection (NRI) may still cause performance issues. |As a workaround, take these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates)<br/>2. (Alternative) [Add AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
49
+
|7. **File hash computation**. <br/><br/>If you enable "File hash computation" which is used for Indicators - File hash - allow, there is an additional performance overhead which is [documented](/defender-endpoint/indicator-file). For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. |This is where you, and your leadership team will have to make a decision, of having more security or less cpu utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features.|
50
50
51
51
### Narrowing it down to which Microsoft Defender Antivirus component could be contributing to the higher cpu utilization:
0 commit comments