You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-performance-issues.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,15 +48,15 @@ First, you might want to check if the issue is caused by other software. Read [C
48
48
|6. **When a path exclusion is added, it works for scanning flows**. <br/><br/>Behavior Monitoring (BM) and Network Real-time Inspection (NRI) may still cause performance issues. |As a workaround, take these steps: <br/>1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates) <br/>2. (Alternative) [Add AV exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). |
49
49
|7. **File hash computation**. <br/><br/>If you enable "File hash computation" which is used for Indicators - File hash - allow, there is an additional performance overhead which is [documented](/defender-endpoint/indicator-file). For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. | This is where you, and your leadership team will have to make a decision, of having more security or less cpu utilization. <br/><br/>One possible solution is to disable the File hash computation feature. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**, and then enable file hash computation features.|
50
50
51
-
### Narrowing it down to which Microsoft Defender Antivirus component could be contributing to the higher cpu utilization:
51
+
### To help determine which component might be contributing to higher CPU utilization
52
52
53
-
|Component|Information| Solution|
54
-
| -------- | -------- | -------- |
55
-
|Real-time protection (RTP) scanning|You can use [Troubleshooting mode](/defender-endpoint/enable-troubleshooting-mode) to turn off [Tamper Protection](/defender-endpoint/troubleshoot-problems-with-tamper-protection). Once Tamper Protection is turned off, you could turn off the "Real-time protection" temporarily, in order to rule it out.|Please see above "Common reasons for higher cpu utilization by Microsoft Defender Antivirus"|
56
-
|Scheduled scanning|Check your default scheduled scan settings|A few things that you can do to lower the cpu utilization during a scheduled scan. 1) **General scheduled scan settings** * 1a) Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans): The thread priority in Windows for Normal, has two values. 8 (lower) and 9 (higher). By setting this to enabled, you are lowering the scheduled scan thread priority from 9 to 8. Which provides the other application threads to run with a higher priority, thus getting more cpu time than MDAV. * 1b) Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan): 50 (default), you could lower it to 20 or 30%. Note: If you have a change control window, by modifying the amount of cpu that can be used, causes the scan to take longer. * 1c) Start the scheduled scan only when computer is on but not in use (ScanOnlyIfIdle): Not configured (Enabled by default). It requires the machine to be idle, meaning the cpu usage overall of the device has to be lower than 80%. 2) __Daily quick scan 2a) Specify the interval to run quick scans per day: Not configured (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours) 2b) Specify the time for a daily quick scan (Run daily quick scan at): 12 PM. 3) Run a weekly scheduled scan (quick or full) 3a) Specify the scan type to use for a scheduled scan (Scan type): Not configured 3b) Specify the time of day to run a scheduled scan (Day of week to run scheduled scan): Not configured 3c) Specify the day of the week to run a scheduled scan (Time of day to run a scheduled scan): Not configured__|
57
-
|Scan after a security intelligence update.|By default, MDAV scans after a security intelligence update for optimal protection purposes. Note: Customers that have scheduled scans enabled, might think that there are scans that are run outside of the schedule.|This is where you, and your leadership team will have to make a decision, of having more security or less cpu utilization. Work-around: In Group Policy (or other management such as MDM), Computer Configuration > Administrative Templates > Microsoft Defender Antivirus > Security Intelligence Updates > Turn on scan after security intelligence update > Disabled|
58
-
|Conflict with other security software|If you have a 3rd party security software such as antivirus, edr, dlp, endpoint privilege management, vpn, etc…|Add the 3rd party security software to the MDAV exclusions (path + processes) and vice-versa. The list of the MDAV binaries are listed in the .xlsx here: [Configure your network environment to ensure connectivity with Defender for Endpoint service](/defender-endpoint/configure-environment)|
59
-
|Scanning a large number of files or folders|Having big file such as an .iso or .vhdx , etc… sitting in your user profile (desktop, downloads, documents, etc…), and that profile is being redirected to network shares such as via Offline Files (CSC) or onedrive (or similar products). Since it has to scan via a network, where there is additional latency compared to sitting locally on the disk, the scans could take longer. |If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share)|
53
+
|Component| Solution|
54
+
| -------- | -------- |
55
+
|Real-time protection (RTP) scanning|You can use [Troubleshooting mode](/defender-endpoint/enable-troubleshooting-mode) to turn off [Tamper Protection](/defender-endpoint/troubleshoot-problems-with-tamper-protection). Once Tamper Protection is turned off, you could turn off the "Real-time protection" temporarily, in order to rule it out.<br/><br/>See the previous section, "Common reasons for higher cpu utilization by Microsoft Defender Antivirus". |
56
+
|Scheduled scanning |Check your default scheduled scan settings<br/><br/>**General scheduled scan settings**.<br/><br/>- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans). <br/>The thread priority in Windows for normal scans has two values: 8 (lower) and 9 (higher). By setting this to enabled, you are lowering the scheduled scan thread priority from 9 to 8, which enables other application threads to run with a higher priority, thus getting more cpu time than MDAV. <br/><br/>- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan). 50 is the default setting; you can lower it to 20 or 30%. <br/>Note that if you have a change control window, by modifying the amount of cpu that can be used causes the scan to take longer. <br/><br/>- Start the scheduled scan only when computer is on but not in use by setting `ScanOnlyIfIdle` to `Not configured` (it's enabled by default). <br/>It requires the machine to be idle, meaning the cpu usage overall of the device has to be lower than 80%. <br/><br/>**Daily quick scan settings**<br/><br/>- Specify the interval to run quick scans per day: Not configured (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours)<br/><br/>- Specify the time for a daily quick scan (Run daily quick scan at): 12 PM. <br/><br/>**Run a weekly scheduled scan (quick or full) settings** <br/><br/>- Specify the scan type to use for a scheduled scan (Set `Scan type` to `Not configured`). <br/><br/>- Specify the time of day to run a scheduled scan (Set `Day of week to run scheduled scan` to `Not configured`). <br/><br/>- Specify the day of the week to run a scheduled scan (Set `Time of day to run a scheduled scan` to `Not configured`). |
57
+
|Scan after a security intelligence update.|By default, MDAV scans after a security intelligence update for optimal protection purposes. Notethat if you have scheduled scans enabled, you might think that there are scans that are run outside of the schedule.This is where you, and your leadership team will have to make a decision, of having more security or less cpu utilization. <br/><br/>As a workaround, in Group Policy (or another management tool, such as MDM), go to **Computer Configuration** > **Administrative Templates** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**, and set **Turn on scan after security intelligence update** to `Disabled`. |
58
+
|Conflicts with other security software|If you have non-Microsoft security software, such as antivirus, edr, dlp, endpoint privilege management, vpn, and so on, add the that software to the MDAV exclusions (path + processes) and vice-versa.<br/><br/> The list of the MDAV binaries are listed in the .xlsx here: [Configure your network environment to ensure connectivity with Defender for Endpoint service](/defender-endpoint/configure-environment)|
59
+
|Scanning a large number of files or folders| If you have a big file such as an .iso, .vhdx, and so on sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there is additional latency compared to files stored locally on a device.<br/><br/>If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). |
60
60
61
61
## What's triggering and causing the higher cpu utilization in Microsoft Defender Antivirus.
0 commit comments