You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-performance-issues.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ ms.author: ewalsh
7
7
author: emmwalshh
8
8
ms.localizationpriority: medium
9
9
manager: deniseb
10
-
ms.date: 01/13/2025
10
+
ms.date: 01/31/2025
11
11
audience: ITPro
12
12
ms.topic: troubleshooting
13
13
ms.subservice: ngp
@@ -40,13 +40,13 @@ First, you might want to check if other software is causing the issue. Read [Che
40
40
41
41
| Reason | Solution |
42
42
| -------- | -------- |
43
-
|1: **Binaries not signed** (`.exe`, `.dll`, and so on) <br/>Anytime that a binary (such as `.exe`,`.dll`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan or when you are running a scheduled scan, and/or on-demand scan.|You should consider signing the binaries using an internal PKI. And/or reaching out to the vendor so they could sign the binary. And adding the certificate to the [Indicators – Certificate - allow ](/defender-endpoint/indicator-certificates)<br/><br/>We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The software vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper).<br/><br/>As a work-around, you can follow these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) <br/>2. (Alternative) Add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
43
+
|1: **Binaries not signed** (`.exe`, `.dll`, and so on) <br/>Anytime that a binary (such as `.exe`,`.dll`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan or when you're running a scheduled scan, and/or on-demand scan.|You should consider signing the binaries using an internal PKI. And/or reaching out to the vendor so they could sign the binary. And adding the certificate to the [Indicators – Certificate - allow ](/defender-endpoint/indicator-certificates)<br/><br/>We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The software vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper).<br/><br/>As a work-around, you can follow these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) <br/>2. (Alternative) Add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
44
44
|2. **Using HTA's, CHM's and different files as databases**. <br/>Anytime that Microsoft Defender Antivirus must extract and/or scan complex file formats, higher CPU utilization can occur. | Consider switching to using actual databases if you need to save info and query it. <br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
45
45
|3. **Using obfuscations on scripts**. <br/>If you obfuscate scripts, Microsoft Defender Antivirus in order to check if the script contains malicious payloads, it can use more CPU utilization while scanning. | Use script obfuscation only when necessary.<br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
46
46
|4. **Not letting the Microsoft Defender Antivirus cache finish before sealing the image**.| If you're creating a VDI image such as for a non-persistent image, make sure that cache maintenance completes before the image is sealed. <br/> For more information, see [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). |
47
47
|5. **Having the wrong path exclusion(s) due to misspelling**. <br/>If you add misspelled exclusion paths, it can lead to performance issues.| Use `MpCmdRun.exe -CheckExclusion -Path` to validate path-based exclusions. |
48
48
|6. **When a path exclusion is added, it works for scanning flows**. <br/>Behavior Monitoring (BM) and Network Real-time Inspection (NRI) can still cause performance issues. |As a workaround, take these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) [Add Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
49
-
|7. **File hash computation**. <br/>If you enable file hash computation, which is used for [file indicators](indicator-file.md), there's more performance overhead. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. | This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features. Note: If you want Indicators - File hash to work, this needs to be enabled.|
49
+
|7. **File hash computation**. <br/>If you enable file hash computation, which is used for [file indicators](indicator-file.md), there's more performance overhead. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. | This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features. Note: To enable Indicators - File hash functionality, this feature must be activated.|
50
50
51
51
### To help determine which component might be contributing to higher CPU utilization
0 commit comments