Blog Post

Microsoft Defender for Endpoint Blog

3 MIN READ

Announcing performance analyzer for Microsoft Defender Antivirus

Microsoft

Sep 07, 2021

Microsoft Defender Antivirus provides always-on, real-time protection, and on-demand antivirus scans on files to protect environments from malicious entities. However, there are times that scans can take a while to complete due to various factors such as environment configurations, longer processes, or unknown files.

IT admins, developers, and other users need visibility into the impact of these scans so they can troubleshoot, assess, and address any performance issues.

We are excited to announce performance analyzer for Microsoft Defender Antivirus (available with the Defender platform update 418.2108.7+). This new PowerShell command-line tool assists in the collection of performance recordings on an individual endpoint and reports information for top scans, processes, files, and file extensions most affected by Microsoft Defender Antivirus.

Performance analyzer is simple to use, requires no installations, and focuses specifically on Microsoft Defender Antivirus system scan data. This feature provides data in a programmatic, consumable way for admins and other users to easily analyze the results.

How it works

To analyze performance, from a Windows PowerShell, run performance analyzer using the cmdlet:

New-MpPerformanceRecording -RecordTo <recording.etl>

As shown in the image below, performance analyzer collects a recording of Microsoft Defender for Antivirus events to be analyzed.

During this time, carry out the tasks that you think may have been causing performance impact so that performance analyzer can record this. When you have finished, Press <Enter> to stop and save the recording per image below.

Once the recording is completed, using the cmdlet,

Get-MpPerformanceReport

enables you to view full tabular performance reports that show top files, scans, file extensions, and processes causing highest impact.

Image caption: Parameters for cmdlet Get-MpPerformanceReport

Based on the specified parameters, the report includes data sorted by count, duration, and path.

Image caption: Preview of report forTop 10 files that impact scan time.

You can use nested grouping to get a more detailed report.

For example: Get-MpPerformanceReport -Path <recording.etl> -TopProcesses: 3 -TopScansPerProcess: 5 will display a report of top 3 processes that impact scan time and the top 5 scans associated with each.

Image caption: Preview of report for top 3 processes that impact scan time and the top 5 scans associated with each

You can also use multiple queries:

Get-MpPerformanceReport -Path <recording.etl> -TopExtensions: 10 -TopProcesses:3 -TopScansPerProcess:5

Image caption: Preview of report for top 10 extensions, top 3 processes, and top scans per process that impact scan time

Other functionalities

Using -MinDuration Parameter:

You can also report only on top scans that have a certain minimum duration. In the image below, the report displays a sample preview of the top 100 scans that took a minimum of 100 ms.

Exporting & Converting to CSV and JSON:

You can also export and convert the results of the analyzer to a CSV file. The following are sample examples.

To export to CSV:

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000 -MinDuration:30ms).TopScans | Export-Csv -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation

To convert to CSV:

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000).TopScans | ConvertTo-Csv -NoTypeInformation

To convert to JSON:

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1

For more information, see Performance analyzer for Microsoft Defender Antivirus.

Requirements and availability:

Availability: Early September with release of the Defender August Platform version

Defender Platform version: 4.18.2108.7+

Supported OS versions: Windows 10+ and Windows Server 2016+

PowerShell version: PowerShell version 5.1, PowerShell ISE

We’re excited to offer you this new tool to assess performance related to Microsoft Defender Antivirus. We welcome your questions and feedback in the comments!

Updated Jan 10, 2022

Version 4.0

marysia_k

Microsoft

Joined April 07, 2021

View Profile

Microsoft Defender for Endpoint Blog

Microsoft Defender for Endpoint disrupts ransomware with industry-leading endpoint security, providing comprehensive protection across all platforms and devices.

20 Comments

Fabian Bader

Brass Contributor

Oct 26, 2021

Hi marysia_k there seems to be a problem when running this in a remote PowerShell session. Would be great if this was possible as well.

Exception setting "TreatControlCAsInput": "The handle is invalid."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ConfigDefender\MSFT_MpPerformanceRecording.psm1:77 char:5

Exception calling "ReadKey" with "1" argument(s): "Cannot read keys when either application does not have a console or when console input has been redirected from a file. Try Console.Read."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ConfigDefender\MSFT_MpPerformanceRecording.psm1:103 char:9

marysia_k
Microsoft
Sep 28, 2021
Tha_Dude When running a recording, if you get the error "Cannot start performance recording because Windows Performance Recorder is already recording", please run the following command to stop the existing trace with the new command: wpr -cancel -instancename MSFT_MpPerformanceRecording. We are aware of this bug and working on a fix. We have also documented this command here:Performance analyzer for Microsoft Defender Antivirus | Microsoft Docs
Tha_Dude
Copper Contributor
Sep 24, 2021
marysia_k

Hi I have tried running the commands and it errors.

I get the below problem. I've got an application on the server that is 'playing up'. We THINK it's Defender causing the issues, but need to check.

Please help.

Thank you

Kind Regards
marysia_k
Microsoft
Sep 16, 2021
Przem0 At the moment there is no such option. Thank you for your feedback on this.
marysia_k
Microsoft
Sep 16, 2021
Sachin_galagali2025 the performance analyzer does not provide information to the user whether they are using the latest defender version
Przem0
Brass Contributor
Sep 16, 2021
Hi Marysia, looks good! Is there any chance to present performance output in graph? Maybe some kind of charts in InTune console in the near future? Cheers.
ThoFord
Brass Contributor
Sep 14, 2021
Now all we need now is to have this to be part of Endpoint Analytics.
Sachin_galagali2025
Copper Contributor
Sep 13, 2021
Does it also capture if the device have the latest defender version.
marysia_k
Microsoft
Sep 09, 2021
mbhmirc Hi! Thank you for your feedback. We will note it for future consideration of the product. We do not currently have a demo session planned or specific exclusion guidance, but we can look into some options. We will update when more details are ready.
mbhmirc
Brass Contributor
Sep 08, 2021
Hello,
This looks like a great tool!

will there be a session on defender in the future including this tool, eg a demo, how to analyse the results and how to action them?

How would we securely make exceptions based on this data? Eg will exceptions be able to be more fine grained in the format wdac/applocker does them in the future? I’d much rather do certificate combined with path and vendor etc than a straight up process name or folder. These are easily read and abused.

will you be able to apply different scan types based on the exception, eg write only or read only. This could be used to mitigate performance issues for developers for example without fully allowing a process.

lastly will this be able to initiate this from defender for endpoint and get a result from the Interface? Looking after 10k plus clients getting these results can be time consuming.

Again thank you! Great progress.