Troubleshoot performance issues related to real-time protection
Applies to:
- Microsoft Defender for Endpoint Plan 1 and 2
- Microsoft Defender Antivirus
Platforms
- Windows
- Windows Server
If your system is having high CPU usage or performance issues related to the Microsoft Defender Antivirus (Antimalware Service Executable, MsMpEng.exe, Microsoft Defender Antivirus).
As an admin, you can also troubleshoot these issues on your own.
First, you might want to check if other software is causing the issue. Read Check with the vendor for known issues with antivirus exclusions.
Common reasons for higher CPU utilization by Microsoft Defender Antivirus
| Reason | Solution |
|---|---|
1: Binaries not signed (.exe, .dll, .ps1, and so on) Anytime that a binary ( such as .exe, .dll, .ps1, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan, scheduled scan, and/or on-demand scan. |
You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries. And/or reaching out to the vendor so they could sign the binary (EV code signing). We recommend that software vendors follow the various guidelines in Partnering with the industry to minimize false positives. The vendor or software developer can submit the application, service, or script in the Microsoft Security Intelligence portal. As a work-around, you can follow these steps: 1. (Preferred) For .exe's and dll's use Indicators – File hash - allow or Indicators – Certificate - allow 2. (Alternative) Add Antivirus exclusions (process+path). |
| 2. Using HTA's, CHM's and different files as databases. Anytime that Microsoft Defender Antivirus must extract and/or scan complex file formats, higher CPU utilization can occur. |
Consider switching to using actual databases if you need to save info and query it. As a workaround, add Antivirus exclusions (process+path). |
| 3. Using obfuscations on scripts. If you obfuscate scripts, Microsoft Defender Antivirus in order to check if the script contains malicious payloads, it can use more CPU utilization while scanning. |
Use script obfuscation only when necessary. As a workaround, add Antivirus exclusions (process+path). |
| 4. Not letting the Microsoft Defender Antivirus cache finish before sealing the image. | If you're creating a VDI image such as for a non-persistent image, make sure that cache maintenance completes before the image is sealed. For more information, see Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment. |
| 5. Having the wrong path exclusion(s) due to misspelling. If you add misspelled exclusion paths, it can lead to performance issues. |
Use MpCmdRun.exe -CheckExclusion -Path to validate path-based exclusions. |
| 6. When a path exclusion is added, it works for scanning flows. Behavior Monitoring (BM) and Network Real-time Inspection (NRI) can still cause performance issues. |
As a workaround, take these steps: 1. (Preferred) For .exe's and dll's use Indicators – File hash - allow or Indicators – Certificate - allow 2. (Alternative) Add Antivirus exclusions (process+path). |
| 7. File hash computation. If you enable file hash computation, which is used for file indicators, there's more performance overhead. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance. |
This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. One possible solution is to disable the File hash computation feature. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MpEngine, and then enable file hash computation features. |
To help determine which component might be contributing to higher CPU utilization
| Component | Solution |
|---|---|
| Real-time protection (RTP) scanning | You can use Troubleshooting mode to turn off Tamper Protection. Once Tamper Protection is turned off, you could turn off the "Real-time protection" temporarily, in order to rule it out. See the previous section, Common reasons for higher CPU utilization by Microsoft Defender Antivirus. |
| Scheduled scanning | Check your default scheduled scan settings General scheduled scan settings. - Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans). The thread priority in Windows for normal scans has two values: 8 (lower) and 9 (higher). By setting this to enabled, you're lowering the scheduled scan thread priority from 9 to 8, which enables other application threads to run with a higher priority, thus getting more CPU time than Microsoft Defender Antivirus. - Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan). 50 is the default setting; you can lower it to 20 or 30. If you have a change control window, by modifying the amount of CPU that can be used causes the scan to take longer. - Start the scheduled scan only when computer is on but not in use by setting ScanOnlyIfIdle to Not configured (it's enabled by default). It requires the machine to be idle, meaning the CPU usage overall of the device has to be lower than 80%. Daily quick scan settings - Set Specify the interval to run quick scans per day to Not configured (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours)- Set Specify the time for a daily quick scan (Run daily quick scan at) to 12 PM. Run a weekly scheduled scan (quick or full) settings - Specify the scan type to use for a scheduled scan (Set Scan type to Not configured). - Specify the time of day to run a scheduled scan (Set Day of week to run scheduled scan to Not configured). - Specify the day of the week to run a scheduled scan (Set Time of day to run a scheduled scan to Not configured). |
| Scan after a security intelligence update. | By default, Microsoft Defender Antivirus scans after a security intelligence update for optimal protection purposes. If scheduled scans are enabled, you might think that there are scans that are run outside of the schedule. This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization. As a workaround, in Group Policy (or another management tool, such as MDM), go to Computer Configuration > Administrative Templates > Microsoft Defender Antivirus > Security Intelligence Updates, and set Turn on scan after security intelligence update to Disabled. |
| Conflicts with other security software | If you have non-Microsoft security software, such as antivirus, EDR, DLP, endpoint privilege management, VPN, and so on, add the that software to the Microsoft Defender Antivirus exclusions (path + processes), and vice-versa. To get the list of the Microsoft Defender Antivirus binaries, see Configure your network environment to ensure connectivity with Defender for Endpoint service. |
| Scanning a large number of files or folders | If you have a big file such as an .iso, .vhdx, and so on, sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there's more latency compared to files stored locally on a device. If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). |
What's triggering and causing higher CPU utilization in Microsoft Defender Antivirus
Now, if you have gone through the proactive steps, next is to find what's triggering and causing the higher CPU utilization:
| # | Tools to help narrow down what's triggering the high CPU utilization | Comments |
|---|---|---|
| 1 | Collect Microsoft Defender Antivirus diagnostic data | Microsoft Defender Antivirus diagnostic data that you want to include whenever troubleshooting an issue with Microsoft Defender Antivirus. |
| 2 | Performance analyzer for Microsoft Defender Antivirus | For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. Note: Make sure that the issue is reproducing when you collect this data. |
| 3 | Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor | If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high CPU utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. Note: Make sure that the issue is reproducing when you collect this data. |
| 4 | [Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI) | In cases of a more advanced troubleshooting needed, you can use the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Tip: Due to the verbosity of this trace, keep it to 3 to 5 minute max. Note: Make sure that the issue is reproducing when you collect this data. |
Check with the vendor for known issues with antivirus products
If you can readily identify the software affecting system performance, go to the software vendor's knowledge base or support center. Check to see if there are any known issues with antivirus products. If necessary, you can open a support ticket with them and ask them to publish one.
We recommend that software vendors follow the various guidelines in Partnering with the industry to minimize false positives. The vendor can submit their software through the Microsoft Security Intelligence portal.
Q: Should I use the "EstimatedImpact" in the Microsoft Protection Log C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-xxxxxxxx-xxxxxx.log?
A: No, we don't support looking anything in the MPLog.log. Use the tools mentioned in the section, What's triggering and causing higher CPU utilization in Microsoft Defender Antivirus?
What if I still have an issue?
You can submit a ticket to Microsoft support.
Follow the steps in Collect Microsoft Defender Antivirus diagnostic data. Follow the steps in Collect Microsoft Defender Antivirus diagnostic data.
See also
- Collect Microsoft Defender Antivirus diagnostic data
- Configure and validate exclusions for Microsoft Defender Antivirus scans
- Performance analyzer for Microsoft Defender Antivirus
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.