Merge pull request #2575 from YongRhee-MSFT/docs-editor/troubleshoot-performance-issue-1738102016

padmagit77 · web-flow · commit 9086cbd9773a · 2025-01-31T18:13:22.000+05:30
Update troubleshoot-performance-issues.md -- Emm is reviewing
diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md
@@ -7,7 +7,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 manager: deniseb
-ms.date: 01/13/2025
+ms.date: 01/31/2025
 audience: ITPro
 ms.topic: troubleshooting
 ms.subservice: ngp
@@ -40,13 +40,13 @@ First, you might want to check if other software is causing the issue. Read [Che
 
 | Reason | Solution |
 | -------- | -------- |
-|1: **Binaries not signed** (`.exe`, `.dll`, `.ps1`, and so on) <br/>Anytime that a binary (such as `.exe`, `.dll`, `.ps1`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan, scheduled scan, and/or on-demand scan. | You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries. And/or reaching out to the vendor so they could sign the binary (EV code signing). <br/><br/>We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper). <br/><br/>As a work-around, you can follow these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) Add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
+|1. **Binaries not signed** (`.exe`, `.dll`, and so on) <br/>Anytime that a binary (such as `.exe`,`.dll`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan or when you're running a scheduled scan, and/or on-demand scan.|You should consider signing the binaries using an internal PKI. And/or reaching out to the vendor so they could sign the binary.  And adding the certificate to the [Indicators – Certificate - allow ](/defender-endpoint/indicator-certificates)<br/><br/>We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The software vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper).<br/><br/>As a work-around, you can follow these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file)  <br/>2. (Alternative) Add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
 |2. **Using HTA's, CHM's and different files as databases**. <br/>Anytime that Microsoft Defender Antivirus must extract and/or scan complex file formats, higher CPU utilization can occur. | Consider switching to using actual databases if you need to save info and query it. <br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
 |3. **Using obfuscations on scripts**. <br/>If you obfuscate scripts, Microsoft Defender Antivirus in order to check if the script contains malicious payloads, it can use more CPU utilization while scanning. | Use script obfuscation only when necessary.<br/><br/>As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
 |4. **Not letting the Microsoft Defender Antivirus cache finish before sealing the image**.| If you're creating a VDI image such as for a non-persistent image, make sure that cache maintenance completes before the image is sealed. <br/> For more information, see [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). |
 |5. **Having the wrong path exclusion(s) due to misspelling**. <br/>If you add misspelled exclusion paths, it can lead to performance issues.| Use `MpCmdRun.exe -CheckExclusion -Path` to validate path-based exclusions. |
 |6. **When a path exclusion is added, it works for scanning flows**. <br/>Behavior Monitoring (BM) and Network Real-time Inspection (NRI) can still cause performance issues. |As a workaround, take these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) [Add Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
-|7. **File hash computation**. <br/>If you enable file hash computation, which is used for [file indicators](indicator-file.md), there's more performance overhead. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. | This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features.|
+|7. **File hash computation**. <br/>If you enable file hash computation, which is used for [file indicators](indicator-file.md), there's more performance overhead. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. | This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features. <br/>**Note**: To enable Indicators - File hash functionality, this feature must be activated.|
 
 ### To help determine which component might be contributing to higher CPU utilization
 
@@ -65,8 +65,8 @@ After the proa\ctive steps are complete, you can identify what is triggering and
 | #|Tools to help narrow down what's triggering the high CPU utilization|Comments|
 | -------- | -------- | -------- |
 |1  |[Collect Microsoft Defender Antivirus diagnostic data](/defender-endpoint/collect-diagnostic-data)|Microsoft Defender Antivirus diagnostic data that you want to include whenever troubleshooting an issue with Microsoft Defender Antivirus.|
-|2|[Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)|For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. Note: Make sure that the issue is reproducing when you collect this data.|
-|3|[Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)|If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high CPU utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. Note: Make sure that the issue is reproducing when you collect this data.|
+|2|[Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)|For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. <br/>**Note**: Make sure that the issue is reproducing when you collect this data.|
+|3|[Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)|If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high CPU utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. <br/>**Note**: Make sure that the issue is reproducing when you collect this data.|
 |4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)|For more advanced troubleshooting, you can utilize the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Keep in mind that due to the verbosity of this trace, it should be limited to a maximum of 3 to 5 minutes. Ensure that the issue is actively occurring when you collect this data.
 
 ## Check with the vendor for known issues with antivirus products
