Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-10 > #181312

Re: Defender running slowly

Show all headers | View raw

Paul <nospam@needed.invalid> wrote:

> Just as a general observation, the "claimed" CPU usage of that executable
> is small, yet the amount of total I/O it has done, is pretty impressive,
> for something not using a lot of CPU. The I/O has happened
> over many hours.
> 
>    [Picture]
> 
>     https://i.postimg.cc/dVcgppjN/msmpeng-activity.gif
> 
> The Sysinternals Process Explorer is available here. It can be run
> as Administrator, for some activities this gives a bit of extra info,
> but Administrator is not needed for casual usage like in the picture.
> The CPU usage includes two digits after the decimal, which is useful.
> 
>    https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
> 
> Does MSMPENG.exe slow down the machine ? You bet your ass it does.
> But it shows up, when you attempt to read files.
> 
> As an example, you may have a copy of hashdeep64.exe or md5deep64.exe ,
> which is a program that can generate a checksum value for each and
> every file on a PC. The poor "hashdeep" runs at about 14% of normal
> speed, when Defender is finished scanning the shit out of each
> file as it is being read. This is where you are losing the performance.
> The real time performance, when your activities do high I/O, is
> slowed considerably by Defender.
> 
> But at the background scan level, which is what the top picture is
> demonstrating, it should not be making the system particularly laggy.
> 
> When running high I/O programs, you have to go to the security panel
> and "disable Real Time scan", for those activities that you suspect
> are innocuous. While malware could come out of hiding while you
> have the Real Time scan disabled, it's not much of a computer
> if I/O activity is being strangled.
> 
> Not all I/O activity is necessarily scanned to the same extent.
> If you run a Macrium Reflect backup while the OS is running,
> the I/O there is at cluster level, and scanning the shit out
> of individual clusters isn't particularly an effective security
> measure. Whereas reading whole files is more of interest to
> a Defender.
> 
> There can be some places worth setting an exception. If your mail tool
> stores messages as separate .eml files, you could have a hundred thousand
> of those, and any time the email tool scans the email store, that's
> going to make Defender nuts and the activity will slow to a crawl.
> Then you have to make the decision, whether disabling real time on
> that folder is a necessary thing or not.  Again, if your email
> becomes basically unusable due to parallel scanning activity,
> it's not much of a computer if you can't use it.
> 
> But I would avoid random vacuous application of Exceptions.
> Exceptions are not the new breakfast cereal. They're to be
> used with thought and reflection, balancing security versus
> abysmal performance.
> 
>    Paul

I've seen tons of I/O activity when 2 on-access/real-time AV scanners
were active.  I'd see the first AV open the file to scan it, the 2nd AV
see the file got opened, so the 2nd AV would scan the file.  The 1st AV
would see the 2nd AV opened the file, so the 1st AV would rescan the
same file.  And the death grip continued for about 30K opens on the same
file with the AVs battling each other over which would be the last to
open the file to scan it.  That's why it is a bad scenario to have two,
or more, AV on-access scanners active at the same time.  If you feel
compelled to use a 2nd AV to double-check for malware, disable its
on-access scanner, and just schedule it to do an on-demand scan, and
disable it from scanning the folder of the other AV.  

As for high CPU usage, or *lots* of I/O, I've seen that with other AV
software, too.  It isn't unique to Defender.

As for scanning e-mail, it is superfluous to configure the AV on-access
scanner to scan when a new message arrives.  Whether scanning the e-mail
traffic, when the e-mail gets saved into a message store, or scanning
later when extracting the message, the same on-access scanner gets used.
Attachments in an e-mail are just long text encoded strings, and are not
executable.  Not until extraction into a file can they become an
executable danger.  You get earlier warning, but not greater pest
detection.  Defender's on-access scanner doesn't scan e-mails (but does
for its on-demand/scheduled scans) while other AVs have the option to
scan e-mail traffic which should be disabled since there is no added
detection coverage.  You end up scanning twice without any added pest
coverage: once on message delivery while scanning the e-mail traffic,
and again if and when an attachment is extracted.  What does the AV
scanner see when an e-mail arrives for its attachments?  Long text
encoded strings which are no danger.  What about the e-mail body?  Nope,
no danger there, either, unless you are so stupid as to allow Javascript
to get executed in an HTML-formatted e-mail.  E-mail clients should
default to NOT running any scripts in e-mails.  E-mail is not a
substitute for web docs, but way too many senders treat it as such.

Back to alt.comp.os.windows-10 | Previous | Next — Previous in thread | Find similar | Unroll thread

Thread

Defender running slowly Jim the Geordie <jim@jimXscott.co.uk> - 2025-01-13 09:43 +0000
  Re: Defender running slowly VanguardLH <V@nguard.LH> - 2025-01-13 06:50 -0600
    Re: Defender running slowly Jim the Geordie <jim@jimXscott.co.uk> - 2025-01-13 13:11 +0000
      Re: Defender running slowly VanguardLH <V@nguard.LH> - 2025-01-13 09:00 -0600
        Re: Defender running slowly Jim the Geordie <jim@jimXscott.co.uk> - 2025-01-13 15:23 +0000
        Re: Defender running slowly Paul <nospam@needed.invalid> - 2025-01-13 11:05 -0500
          Re: Defender running slowly Zaidy036 <Zaidy036@air.isp.spam> - 2025-01-13 13:51 -0500
          Re: Defender running slowly VanguardLH <V@nguard.LH> - 2025-01-13 15:37 -0600

csiph-web