Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Announcing performance analyzer for Microsoft Defender Antivirus

marysia_k's avatar
marysia_k
Icon for Microsoft rankMicrosoft
Sep 07, 2021

Microsoft Defender Antivirus provides always-on, real-time protection, and on-demand antivirus scans on files to protect environments from malicious entities. However, there are times that scans can take a while to complete due to various factors such as environment configurations, longer processes, or unknown files.

 

IT admins, developers, and other users need visibility into the impact of these scans so they can troubleshoot, assess, and address any performance issues.

 

We are excited to announce performance analyzer for Microsoft Defender Antivirus (available with the Defender platform update 418.2108.7+). This new PowerShell command-line tool assists in the collection of performance recordings on an individual endpoint and reports information for top scans, processes, files, and file extensions most affected by Microsoft Defender Antivirus.

 

Performance analyzer is simple to use, requires no installations, and focuses specifically on Microsoft Defender Antivirus system scan data. This feature provides data in a programmatic, consumable way for admins and other users to easily analyze the results.

 

How it works

 

To analyze performance, from a Windows PowerShell, run performance analyzer using the cmdlet:

 

 

 

 

 

 

New-MpPerformanceRecording -RecordTo <recording.etl>

 

 

 

 

 

 

 

 As shown in the image below, performance analyzer collects a recording of Microsoft Defender for Antivirus events to be analyzed.

 

During this time, carry out the tasks that you think may have been causing performance impact so that performance analyzer can record this. When you have finished, Press <Enter> to stop and save the recording per image below.

 

Once the recording is completed, using the cmdlet,

 

 

 

 

 

 

Get-MpPerformanceReport 

 

 

 

 

 

 

enables you to view full tabular performance reports that show top files, scans, file extensions, and processes causing highest impact.

 

Image caption: Parameters for cmdlet Get-MpPerformanceReport

 

 Based on the specified parameters, the report includes data sorted by count, duration, and path.

Image caption: Preview of report forTop 10 files that impact scan time. 

 

You can use nested grouping to get a more detailed report.

For example: Get-MpPerformanceReport -Path <recording.etl> -TopProcesses: 3 -TopScansPerProcess: 5 will display a report of top 3 processes that impact scan time and the top 5 scans associated with each.

Image caption: Preview of report for top 3 processes that impact scan time and the top 5 scans associated with each

 

You can also use multiple queries:

Get-MpPerformanceReport -Path <recording.etl>  -TopExtensions: 10  -TopProcesses:3 -TopScansPerProcess:5

Image caption: Preview of report for top 10 extensions, top 3 processes, and top scans per process that impact scan time

 

Other functionalities

 

Using -MinDuration Parameter:

You can also report only on top scans that have a certain minimum duration. In the image below, the report displays a sample preview of the top 100 scans that took a minimum of 100 ms.

 

Exporting & Converting to CSV and JSON:

You can also export and convert the results of the analyzer to a CSV file. The following are sample examples. 

 

To export to CSV:

 

 

 

 

 

 

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000 -MinDuration:30ms).TopScans | Export-Csv -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation

 

 

 

 

 

 

 

To convert to CSV:

 

 

 

 

 

 

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000).TopScans | ConvertTo-Csv -NoTypeInformation

 

 

 

 

 

 

 

To convert to JSON:

 

 

 

 

 

 

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1

 

 

 

 

 

 

 

For more information, see Performance analyzer for Microsoft Defender Antivirus.

 

Requirements and availability: 

 

Availability: Early September with release of the Defender August Platform version

Defender Platform version: 4.18.2108.7+

Supported OS versions: Windows 10+ and Windows Server 2016+

PowerShell version:  PowerShell version 5.1, PowerShell ISE 

 

We’re excited to offer you this new tool to assess performance related to Microsoft Defender Antivirus. We welcome your questions and feedback in the comments!

 

Updated Jan 10, 2022
Version 4.0