Microsoft Defender Antivirus provides always-on, real-time protection, and on-demand antivirus scans on files to protect environments from malicious entities. However, there are times that scans can take a while to complete due to various factors such as environment configurations, longer processes, or unknown files.
IT admins, developers, and other users need visibility into the impact of these scans so they can troubleshoot, assess, and address any performance issues.
We are excited to announce performance analyzer for Microsoft Defender Antivirus (available with the Defender platform update 418.2108.7+). This new PowerShell command-line tool assists in the collection of performance recordings on an individual endpoint and reports information for top scans, processes, files, and file extensions most affected by Microsoft Defender Antivirus.
Performance analyzer is simple to use, requires no installations, and focuses specifically on Microsoft Defender Antivirus system scan data. This feature provides data in a programmatic, consumable way for admins and other users to easily analyze the results.
How it works
To analyze performance, from a Windows PowerShell, run performance analyzer using the cmdlet:
New-MpPerformanceRecording -RecordTo <recording.etl>
As shown in the image below, performance analyzer collects a recording of Microsoft Defender for Antivirus events to be analyzed.
During this time, carry out the tasks that you think may have been causing performance impact so that performance analyzer can record this. When you have finished, Press <Enter> to stop and save the recording per image below.
Once the recording is completed, using the cmdlet,
Get-MpPerformanceReport
enables you to view full tabular performance reports that show top files, scans, file extensions, and processes causing highest impact.
Image caption: Parameters for cmdlet Get-MpPerformanceReport
Based on the specified parameters, the report includes data sorted by count, duration, and path.
Image caption: Preview of report forTop 10 files that impact scan time.
You can use nested grouping to get a more detailed report.
For example: Get-MpPerformanceReport -Path <recording.etl> -TopProcesses: 3 -TopScansPerProcess: 5 will display a report of top 3 processes that impact scan time and the top 5 scans associated with each.
Image caption: Preview of report for top 3 processes that impact scan time and the top 5 scans associated with each
You can also use multiple queries:
Get-MpPerformanceReport -Path <recording.etl> -TopExtensions: 10 -TopProcesses:3 -TopScansPerProcess:5
Image caption: Preview of report for top 10 extensions, top 3 processes, and top scans per process that impact scan time
Other functionalities
Using -MinDuration Parameter:
You can also report only on top scans that have a certain minimum duration. In the image below, the report displays a sample preview of the top 100 scans that took a minimum of 100 ms.
Exporting & Converting to CSV and JSON:
You can also export and convert the results of the analyzer to a CSV file. The following are sample examples.
To export to CSV:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000 -MinDuration:30ms).TopScans | Export-Csv -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation
To convert to CSV:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000).TopScans | ConvertTo-Csv -NoTypeInformation
To convert to JSON:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1
For more information, see Performance analyzer for Microsoft Defender Antivirus.
Requirements and availability:
Availability: Early September with release of the Defender August Platform version
Defender Platform version: 4.18.2108.7+
Supported OS versions: Windows 10+ and Windows Server 2016+
PowerShell version: PowerShell version 5.1, PowerShell ISE
We’re excited to offer you this new tool to assess performance related to Microsoft Defender Antivirus. We welcome your questions and feedback in the comments!
When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement