(In reply to Jeroen Baert from comment #89) > I can confirm that toggling these options does seem to have an impact, but haven't reduced the CPU usage of `MsMpEng.exe` to the low levels of Chrome or Edge. I'm still seeing loads that are 3x that of loading the same website (I usually test with cnn.com, because it's large and full of mixed content) in Chrome/Edge. Thanks. Your observations aligns well with the numbers I have obtained through debugging. I counted how many events are generated on the [Microsoft-Windows-Threat-Intelligence ETW provider](https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Threat-Intelligence.xml) when loading YouTube (didn't see significant difference with CNN), and here are the numbers I obtained: - Firefox with normal configuration: ~14000 events, 98% of which are `PROTECTVM_LOCAL`; - Firefox with the preferences from comment 83: ~6500 events, 95% of which are `PROTECTVM_LOCAL`; - Edge: ~2000 events, 91% of which are `ALLOCVM_LOCAL`; - Chrome: ~300 events. So indeed, even with switching the prefs, we still have a high number of calls to `VirtualProtect`. This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events. The combination is explosive. Now that Microsoft has done its part by addressing their side of the problem (comment 82), we need to also reduce our dependency to `VirtualProtect`. Bug 1822650 in particular will help with that.
Bug 1441918 Comment 90 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Jeroen Baert from comment #89) > I can confirm that toggling these options does seem to have an impact, but haven't reduced the CPU usage of `MsMpEng.exe` to the low levels of Chrome or Edge. I'm still seeing loads that are 3x that of loading the same website (I usually test with cnn.com, because it's large and full of mixed content) in Chrome/Edge. Thanks. Your observations aligns well with the numbers I have obtained through debugging. I counted how many events are generated on the [Microsoft-Windows-Threat-Intelligence ETW provider](https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Threat-Intelligence.xml) when loading YouTube (didn't see significant difference with CNN), and here are the numbers I obtained: - Firefox with normal configuration: ~14000 events, 98% of which are `PROTECTVM_LOCAL`; - Firefox with the preferences from comment 83: ~6500 events, 95% of which are `PROTECTVM_LOCAL`; - Edge: ~2000 events, 91% of which are `ALLOCVM_LOCAL`; - Chrome: ~300 events. So indeed, even with switching the prefs, we still have a high number of calls to `VirtualProtect`. This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events. The combination is explosive. Now that Microsoft has done their part of the job (comment 82), we need to reduce our dependency to `VirtualProtect`. Bug 1822650 in particular will help with that.
(In reply to Jeroen Baert from comment #89) > I can confirm that toggling these options does seem to have an impact, but haven't reduced the CPU usage of `MsMpEng.exe` to the low levels of Chrome or Edge. I'm still seeing loads that are 3x that of loading the same website (I usually test with cnn.com, because it's large and full of mixed content) in Chrome/Edge. Thanks. Your observations aligns well with the numbers I have obtained through debugging. I counted how many events are generated on the [Microsoft-Windows-Threat-Intelligence ETW provider](https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Threat-Intelligence.xml) when loading YouTube (didn't see significant difference with CNN), and here are the numbers I obtained: - Firefox with normal configuration: ~14000 events, 98% of which are `PROTECTVM_LOCAL`; - Firefox with the preferences from comment 83: ~6500 events, 95% of which are `PROTECTVM_LOCAL`; - Edge: ~2000 events, 91% of which are `ALLOCVM_LOCAL`; - Chrome: ~300 events. So indeed, even with switching the prefs, we still have a high number of calls to `VirtualProtect`. This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events. The combination is explosive. Now that Microsoft has done their part of the job (comment 82), we need to reduce our dependency to `VirtualProtect`. Bug 1822650 in particular will help with that. (In reply to SeriousHoax from comment #85) > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too. > So, you should also test them. It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.
(In reply to Jeroen Baert from comment #89) > I can confirm that toggling these options does seem to have an impact, but haven't reduced the CPU usage of `MsMpEng.exe` to the low levels of Chrome or Edge. I'm still seeing loads that are 3x that of loading the same website (I usually test with cnn.com, because it's large and full of mixed content) in Chrome/Edge. Thanks. Your observations align well with the numbers I have obtained though experimenting with this. I counted how many events are generated on the [Microsoft-Windows-Threat-Intelligence ETW provider](https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Threat-Intelligence.xml) when loading YouTube (didn't see significant difference with CNN), and here are the numbers I obtained: - Firefox with normal configuration: ~14000 events, 98% of which are `PROTECTVM_LOCAL`; - Firefox with the preferences from comment 83: ~6500 events, 95% of which are `PROTECTVM_LOCAL`; - Edge: ~2000 events, 91% of which are `ALLOCVM_LOCAL`; - Chrome: ~300 events. So indeed, even with switching the prefs, we still have a high number of calls to `VirtualProtect`. This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events. The combination is explosive. Now that Microsoft has done their part of the job (comment 82), we need to reduce our dependency to `VirtualProtect`. Bug 1822650 in particular will help with that. (In reply to SeriousHoax from comment #85) > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too. > So, you should also test them. It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.
(In reply to Jeroen Baert from comment #89) > I can confirm that toggling these options does seem to have an impact, but haven't reduced the CPU usage of `MsMpEng.exe` to the low levels of Chrome or Edge. I'm still seeing loads that are 3x that of loading the same website (I usually test with cnn.com, because it's large and full of mixed content) in Chrome/Edge. Thanks. Your observations align well with the numbers I have obtained experimenting with this. I counted how many events are generated on the [Microsoft-Windows-Threat-Intelligence ETW provider](https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Threat-Intelligence.xml) when loading YouTube (didn't see significant difference with CNN), and here are the numbers I obtained: - Firefox with normal configuration: ~14000 events, 98% of which are `PROTECTVM_LOCAL`; - Firefox with the preferences from comment 83: ~6500 events, 95% of which are `PROTECTVM_LOCAL`; - Edge: ~2000 events, 91% of which are `ALLOCVM_LOCAL`; - Chrome: ~300 events. So indeed, even with switching the prefs, we still have a high number of calls to `VirtualProtect`. This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events. The combination is explosive. Now that Microsoft has done their part of the job (comment 82), we need to reduce our dependency to `VirtualProtect`. Bug 1822650 in particular will help with that. (In reply to SeriousHoax from comment #85) > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too. > So, you should also test them. It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.