Open Bug 1441918 Opened 3 years ago Updated 8 days ago

Antimalware Service Executable (Windows Defender) very active / high CPU when using Firefox

Categories

(External Software Affecting Firefox :: Other, defect, P3)

defect

Tracking

(firefox61 affected, firefox62 affected, firefox63 affected)

Tracking Status
firefox61 --- affected
firefox62 --- affected
firefox63 --- affected

People

(Reporter: designakt, Unassigned, NeedInfo)

References

Details

(Whiteboard: [qf:p2:resource])

Attachments

(2 files)

I noticed that for some time now most of the time Firefox is active, the Windows 10 built in `Antimalware Service Executable` is using well above *30% of my CPU*, and is reading and writing random files in `Windows/Temp`, all starting with `etilqs_`. 

This is considerably slowing me down and makes Firefox feel really slow.

I reproduced this in a new profile, and so far the only thing that helped is excluding the Firefox process from Windows Defender Antivirus. (something most of our users will probably not do)
Here is a recording of opening Nightly and navigating to a few websites, with disk and cpu activity visible. https://drive.google.com/open?id=1KqJxhVKE1xi3TRYAuFKhgEPz7wAUnleX (licecap is the recording tool)

I am on Windowns 10 on Surface Pro 4, running the current Nightly

I first raised this as a question in slack and so far Randell Jesup failed to be able to reproduce on his machine: https://mozilla.slack.com/archives/C4D3JFF26/p1519827897000296

I also check to only exclude the profile directory, which reduced the `Antimalware Service Executable` - Activity, but it is still around 10-15% when browsing this way.
That's a lot of temporary SQLite database activity!  Running with MOZ_LOG=mozStorage:5 will get you reallllly detailed logs, with the output file controlled by MOZ_LOG_FILE.  Setting environment variables in Windows can be very awkward, however, so you can also set the string preference "logging.mozStorage" to "Verbose" to enable the logging and set the string pref "logging.config.LOG_FILE" to wherever you want the log file.  If using preferences, you probably want to restart the browser, because I think some of the more interesting attaching we do only happens when we establish the connections.

See https://searchfox.org/mozilla-central/source/xpcom/base/LogModulePrefWatcher.cpp for other interesting prefs and the string version of the levels.
Note that Defender also scans anything we are writing to the web content (HTTP) disk cache.  I believe this is a normal behavior and personally I find it preferable.

Note that exclusions in Defender don't work well (or at least used not to) e.g. for excluding mozilla source tree and obj dir to speed up builds.  I can still build way faster (and only that way) when I completely disable the runtime protection of Defender regardless of how my exclusions are set up.
Are you on Firefox 64 or 32 bits?
I'm asking because on 64 bit systems we should default to a memory temp store for any Storage consumers, while on 32 bit it's the consumer that must opt-in to using a memory temp store.
https://searchfox.org/mozilla-central/rev/769222fadff46164f8cc0dc7a0bae5a60dc2f335/db/sqlite3/src/moz.build#93
If you're on a 64 bit build, this is a bit more puzzling.
Flags: needinfo?(mjaritz)
Priority: -- → P3
(In reply to Marco Bonardo [::mak] from comment #3)
> Are you on Firefox 64 or 32 bits?

I am using 64bit Firefox
Flags: needinfo?(mjaritz)
The other thing I'm puzzled about is files are created in Windows/temp rather than under AppData where I'd expect us to create them. Sorry for the many questions, comment 1 suggested getting a moz_log, that may still be useful.

Since our version *should* always store temp files in memory, not disk, I'm thinking about an external helper using sqlite to store some data. modulo a bug that prevents SQLITE_TEMP_STORE from working.
Do you have any add-ons that may use an external helper process? Could you try if the problem persists in Safe Mode or with all add-ons disabled?

Last thing, you could try launching Process Explorer 64 (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer), click on the Binocular (Find Handle or DLL), type "etilqs_" and click search, it could help finding which process is using those files.
Trying to do the logging now, I could not reproduce the effect anymore... I am totally puzzled what changed. Yesterday I saw that happen in my default profile, as well as a new blank profiel. Now I only see very short, low spikes of `Antimalware Service Executable` activity... barely higher then 10%, and I do not see any of the etilqs_ files I saw yesterday. ¯\_(ツ)_/¯

Only big thing I changed was enable "Cloud-Delivered Protection" and "Automatic sample submission"... in Windows Defender yesterday, but still after turning those off again, I couldn't reproduce. Will try again tomorrow, and if I can not reproduce I will close this bug. Sorry...
Ah, so after reading :mak's comment 5, if I pay more attention when I go to look at the gif again, I see that the "etilqs_" accesses are coming from the "System" Image with PID=4, so it's not directly Firefox.  (Which makes sense, because it's SQLite itself that does `# define SQLITE_TEMP_FILE_PREFIX "etilqs_"` if it's not already defined.  Only software that #define's it to be something else would use a different prefix.)

I wonder if we should define it to be a different value for Firefox builds so that we can have support pages like https://support.mozilla.org/en-US/questions/987495 and others say "If it was firefox, it would be ff_etilqs_", it's not Firefox.
(In reply to Andrew Sutherland [:asuth] from comment #7)
> I wonder if we should define it to be a different value for Firefox builds
> so that we can have support pages like
> https://support.mozilla.org/en-US/questions/987495 and others say "If it was
> firefox, it would be ff_etilqs_", it's not Firefox.

It sounds like a good idea, feasible where we don't use System Sqlite. Maybe with an mz prefix, considered Storage is also used by TB, SM and other products. I'll file a bug for that.
Depends on: 1442370
from next Nightly, our temp files will be prefixed with "mz_etilqs_", so if you should notice this again, you will be able to tell if it's Firefox or another app in the system creating all of those files.
I did a comparison with chrome today, and for both browsers I see those sqlite files. However, when Firefox is running, `Antimalware Service Executable` seams way more active, when doing basically the same browsing. So the files might be part of the Defender activity.

I did some recordings to show how Firefox and Chrome impact `Antimalware Service Executable` - Firefox triggers it way more!
And there might also be a relation to Defernder settings. It seams to me that Defender is even more active with Firefox after Cloud-Delivered Protection and Automatic Sample Submission is off. 
For Chrome Defender does not seam to use nearly as much resources. (no matter the defender settings.)


rough CPU estimates from the recordings:
Defender CDP off & ASS off 
Firefox ~ 25% Defender activity
Chrome  ~ 10% Defender activity
redording: https://drive.google.com/file/d/11kCNeV2a8kS1q6yntlOgMjVf71gGwFbw/view

Defender CDP on & ASS off
Firefox ~ 15% Defender activity
Chrome  ~  8% Defender activity
recording: https://drive.google.com/file/d/11lvSim7WT-dB_8Yt4eqfGHT90Bj_S4Ry/view

Defender CDP on & ASS on 
Firefox ~ 5% Defender activity
Chrome  ~ 1% Defender activity
recording: https://drive.google.com/file/d/11q-__1rfDQ3EGIQBrC3ILQTQarU08NMV/view


(both are new profiles, on chrome and on Firefox, and I restarted the machine and reset the profiles before every re-run)
It's possible Defender itself uses Sqlite internally, nobody knows.
Btw, please let us know if after the next Nightly the temp files are mz_ prefixed, if not, this is very likely not a Storage bug, we may just be storing things in the cache (or elsewhere) differently from Chrome, and maybe Defender doesn't like that.
Setting a needinfo for myself to check in on that next week.
Flags: needinfo?(mjaritz)
(In reply to Marco Bonardo [::mak] from comment #11)
> please let us know if after the next Nightly the temp files are mz_
> prefixed, if not, this is very likely not a Storage bug, we may just be
> storing things in the cache (or elsewhere) differently from Chrome, and
> maybe Defender doesn't like that.

I still see those files when running the latest Nightly, but they are not mz_ prefixed.
Flags: needinfo?(mjaritz)
Yesterday noticed that my HHD start slowing down whole system. I have moved temp folders (in env. vars) to it, and page file.
Checking task manager shown me that MsMpEng.exe do something hard with disk, ~70mb/s
So i moved temps to RAMdisk and page file back to ssd.

Then i noticed that in system temp folders root (which one is originally c:\windows\temp) appears and disappears etilsq files 0 bite size. It appears, and immediately swaps with different with different letters in name, and it happens in constant cycle.

I start google it, and find out that it is SQL temp files, and stuff, and Firefox create such things. But it not Firefox's files as i understand

https://filestore.community.support.microsoft.com/api/images/8dccb3f1-2d78-430c-9731-925b4290e621?upload=true

They created by MsMpEng and for some reason when Firefox is working, it creating deleting them in constant loop.

I'm installed nightly and it stops, for some time, but then after time (or after i opened some site) it start happens again.
Until i closed firefox.

Also they didn't stop appear disappear INSTANTLY after i close firefox, but i think after 1 or 2 minutes only.
And probably starting up creative cloud aslo cause spaming this files, but only for short time.

So i'm started nightly right now, and it DOESN'T cause any temp files in system temp, i think it's mean that some site caused it, but i don't know.

Strange issue, it's like something have seen like i figured out my usb problem with new PC, and decided throw this cursed bug on me =_=

i think this is related, but no resolution:

https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-defender-constantly-creates-and-reads/f5d48ecf-6446-40fd-b9e3-32ae5962b688
(In reply to silentprayercg from comment #14)
> They created by MsMpEng and for some reason when Firefox is working, it
> creating deleting them in constant loop.

I honestly think MsMpEng is just misusing Sqlite, they should set TEMP_STORE to memory, especially on 64 bit systems. You should report the bug to MS Connect.
ehr, looks like Connect has been retired and now the supposed way to report bugs is the Windows Feedback Hub app.
(In reply to Marco Bonardo [::mak] from comment #15)
> (In reply to silentprayercg from comment #14)
> > They created by MsMpEng and for some reason when Firefox is working, it
> > creating deleting them in constant loop.
> 
> I honestly think MsMpEng is just misusing Sqlite, they should set TEMP_STORE
> to memory, especially on 64 bit systems. You should report the bug to MS
> Connect.

and they will ask me to do scf scannow which never helps and stuff...

at leas for now it doesn't did anything like that, at least with nightly.
it will be hard to report something that i can't fully understand why and how happens.

well if something like this happen i will try feedback thingy...
if enough people report the problem in feedback, they may look into it, if nobody does they'll not even be aware, so I still suggest reporting it. I'll do the same now.
I reported this as a Problem in Security & Privacy / Windows Defender exploit protection
"Antimalware service misuses Sqlite"
"Antimalware service doesn't set Sqlite TEMP_STORE to memory, and ends up creating hundreds of apparently 0-size temporary Sqlite files in windows/temp, slowing down the system. The problem can be reproduced for example using Mozilla Firefox. Also see https://bugzilla.mozilla.org/show_bug.cgi?id=1441918"
I started having this issue yesterday (Firefox 60 and 61) out of nowhere, and I have previously seen this on other people's laptops, so I decided to investigate.

Process Monitor [https://docs.microsoft.com/en-us/sysinternals/downloads/procmon] showed the same behaviour as described in this issue. I decided to try to figure out what changed that triggered this, and to see if there was a workaround.

Current guess of the mechanism:
-------------------------------

1. Firefox starts up, MsMpEng starts scanning everything read/written by Firefox

2. Something (new!) in both the Roaming and Local (profile) directories of Firefox makes MsMpEng start writing out `etilqs_xxx` files into C:\Windows\Temp (probably to parse them)

3. MsMpEng detects that MsMpEng is writing out sqlite files, so it reads them, and (to parse them?) writes to the same (or new) `etilqs_xxx` files in C:\Windows\Temp

4. If you shut down Firefox, (3) eventually converges and completes (after a few minutes)

Attempts at workarounds:
------------------------

* Setting SQL_TMPDIR in environment variables (and restarting Windows) in the hopes that MsMpEng.exe writes them there, and that can be excluded. `etilqs_xxx` were still written into C:\Windows\Temp [ref: https://www.sqlite.org/tempfiles.html]

* Excluding AppData\Local\Mozilla. Did not work, same behaviour.

* Excluding AppData\Roaming\Mozilla. Did not work, same behaviour.

* Excluding both AppData\Roaming\Mozilla and AppData\Local\Mozilla. WORKED!

Possible fixes:

a) Windows Defender should use in-memory temporary sqlite dbs (who knows how long this will take to fix)

b) Figure out what triggered MsMpEng to use sqlite to parse something in Firefox's profiles. My best guess right now is that the size of some file (an sqlite db?) increased enough to trigger this codepath in MsMpEng, but the trace I have doesn't reveal anything to me. The internal structure of Firefox profiles has changed since I last looked at it.

I'm attaching some Process Monitor traces next, so that someone smarter than me can look at it :)
This process monitor log follows MsMpEng and starts from when Firefox was started, till when MsMpEng starts going crazy trying to read/write/create files in C:\Windows\Temp.

Filters you may want to use:

1. Show only disk I/O events
2. Include events with paths in AppData\Local\Mozilla and AppData\Roaming\Mozilla

Please tell me if you need any other traces.
mkaply, since you often worked with AV providers, do we have any contacts with Microsoft we could use here?
Flags: needinfo?(mozilla)
Does it change anything if instead of excluding the mozilla profile folders, you just temporarily exclude the *.tmp extension?
Flags: needinfo?(nirbheek.chauhan)
(In reply to Marco Bonardo [::mak] from comment #23)
> Does it change anything if instead of excluding the mozilla profile folders,
> you just temporarily exclude the *.tmp extension?

I tried this:

1. Close Firefox, and all other programs

2. Open procmon and filter MsMpEng file I/O events

3. Remove profile folders from exclusion in Windows Defender

4. Add a filetype exclusion with extension 'tmp'

5. Start Firefox

Result: bad behaviour by MsMpEng, read/write/create `etilqs_xxx` files in C:\Windows\Temp
Flags: needinfo?(nirbheek.chauhan)
It doesn't happen to me anymore, at least yet.
I have theory that some opened site or may be addon cause this.

Also how can i exclude extension from windows defender?
I haven't worked much on the Microsoft side, but I know Jim has.
Flags: needinfo?(mozilla) → needinfo?(jmathies)
(In reply to Mike Kaply [:mkaply] from comment #26)
> I haven't worked much on the Microsoft side, but I know Jim has.

(In reply to Marco Bonardo [::mak] from comment #22)
> mkaply, since you often worked with AV providers, do we have any contacts
> with Microsoft we could use here?

Post to the microsoft list.
Flags: needinfo?(jmathies)
Sounds like this affects the current Nightly and versions as far back as 60, at least. 
Tracking for 62 and 63 so that I can keep an eye on the answers from Microsoft.
I can readily repro this, in case anybody needs another tester.
I'm currently using Firefox 61 x64 release and Windows 10 1803 with latest patches for OS including Windows Defender. I can confirm this is happening and only with Firefox. However I have tried to exclude Firefox's process (https://support.microsoft.com/en-ph/help/4028485/windows-10-add-an-exclusion-to-windows-defender-antivirus) (in exclusion page select process and enter "C:\Program Files\Mozilla Firefox\firefox.exe") and so far Windows Defender isn't exhibiting the problem anymore.
Wow glad someone pointed me here. I noticed this problem 2 days ago and since then was looking for people with same slowdown so I asked on reddit: https://www.reddit.com/r/techsupport/comments/8v5hrk/anyone_have_windows_defender_slowing_down/

If you have read my post on reddit, you'll see that Windows Defender 4.18.1806.18062 was installed on June 27th and that seems to coincide with my issue. Anyone else able to see when that version was installed and see if it coincide? Just look at the 4.18.1806.18062-0 folder date in "C:\ProgramData\Microsoft\Windows Defender\Platform".

Like pointed out by someone else above, the issue happens also when running Chrome so for now my only solution was to disable Windows Defender and use Malwarebytes (2 weeks free on pro version) until Microsoft comes up with a fix.

Tonight I saw Mark solution so I turned on WD again and it works! But I also had to add Chrome to the exclusion list.

How come this was reported early in May (when we look at https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-defender-constantly-creates-and-reads/f5d48ecf-6446-40fd-b9e3-32ae5962b688) and today we have to fight with this issue?

Hopefuly someone from Microsoft will be notified quickly and a fix will come in a timely manner.
It still didn't happen for me, since I've installed ff beta (firefox quantum 62.0b4 64bit version)
My windows is 1803 17134.112 right now.
My temp on HDD now, and if it will happens again I'm pretty sure I will notice it.

And now it apparently now only FF, but Chrome too... last time i noticed only that Creative Cloud cause same behavior but only for short time, when started up.
Fwiw, I notified our Microsoft contacts through the mailing list, I guess for now it's just matter of waiting.
It seems the problem is gone me.

Windows 10 1709
Build 16299.547

Firefox 61.0.1 (64-bit)
(In reply to Jason Metz from comment #34)
> It seems the problem is gone me.
> 
> Windows 10 1709
> Build 16299.547
> 
> Firefox 61.0.1 (64-bit)

It seems the problem is gone for me. typo
There should be a Defender update incoming in the next days/weeks. Someone using insider versions may already have it.
Open Windows Defender Security Center, click Settings, there should be a link on the right "information" or "about" (I'm sorry I have another locale than English, so I'm not sure what's the expected label here).
You "Engine Version" should be greater or equal to 1.1.15100.1.

Once you can confirm you have that version, please test and let us know.
Thanks Microsoft for investigating the problem.
(In reply to Marco Bonardo [::mak] from comment #36)
> Thanks Microsoft for investigating the problem.

How do you know they have acknowledged the problem and that they are working on fixing it?
We have contacted them.
(In reply to Marco Bonardo [::mak] from comment #36)
> There should be a Defender update incoming in the next days/weeks. Someone
> using insider versions may already have it.
> Open Windows Defender Security Center, click Settings, there should be a
> link on the right "information" or "about" (I'm sorry I have another locale
> than English, so I'm not sure what's the expected label here).
> You "Engine Version" should be greater or equal to 1.1.15100.1.
> 
> Once you can confirm you have that version, please test and let us know.
> Thanks Microsoft for investigating the problem.

I have Engine Version 1.1.15000.2 and the problem still exists. Huge disk usage by creating and writing etilqs files.

It happens with any network traffic, not only Firefox. But I've only started noticing it after installing Firefox yesterday (Jul 16).

Disabling WD real-time protection stops the issue.
Marco said we need to wait for 15100, unfortunatly for such an issue it's slow to get the fix.

I wish I could see the patch notes for this new release. "We have contacted them." don't tell us much...
(In reply to rhialto from comment #37)
> (In reply to Marco Bonardo [::mak] from comment #36)
> > Thanks Microsoft for investigating the problem.
> 
> How do you know they have acknowledged the problem and that they are working
> on fixing it?

Mozilla developers and Microsoft developers have discussed this issue over email.
(In reply to rhialto from comment #40)
> Marco said we need to wait for 15100, unfortunatly for such an issue it's
> slow to get the fix.
> 
> I wish I could see the patch notes for this new release. "We have contacted
> them." don't tell us much...

Totally mistook the 1 for a 0. Not a good thing for a software person, ha.
As noted previously here: this has been identified as a MS issue, and they are rolling out a fix soon. So nothing for us to track, not a Firefox bug.
I am using Engine Version: 1.1.15100.1 and I am still seeing higher cpu usage with windows defender when using firefox then with chrome for the same browsing still.
I am using Firefox 61.0.1 x64 on Windows 10 ver. 1803 build 17134.167

When I run or close Firefox, Windows Defender loads the CPU on almost 30%. It is slowing down my OS for a minute, maybe.
(In reply to atosdo from comment #45)
> When I run or close Firefox, Windows Defender loads the CPU on almost 30%.
> It is slowing down my OS for a minute, maybe.

What's your Windows Defender Engine Version? (see comment 36).
Anyway, at this point there's no strict reason to keep this under Storage, we already clarified it's not mozStorage causing the problem.
Component: Storage → General
Product: Toolkit → Firefox
(In reply to Marco Bonardo [::mak] from comment #46)
> (In reply to atosdo from comment #45)
> > When I run or close Firefox, Windows Defender loads the CPU on almost 30%.
> > It is slowing down my OS for a minute, maybe.
> 
> What's your Windows Defender Engine Version? (see comment 36).

Anti-malware client version: 4.18.1806.18062
Subsystem version: 1.1.15100.1
The version of the antivirus program: 1.273.266.0
Anti-spyware version: 1.273.266.0
Even with Windows Defender turned off, there are instances where Firefox has excessive disk activity. Heavy writes to SSD just by scrolling down on a webpage using a new profile. Bug 1478417.
Logs, taken with Windows Defender disabled and using a new Firefox profile.

https://bugzilla.mozilla.org/attachment.cgi?id=8995411
Component: General → Other
Product: Firefox → External Software Affecting Firefox
I fixed the issue, for now, by deleting some Windows Defender database files as mentioned in this thread:

[MODIFYING SYSTEM FILES. DO IT AT YOUR OWN RISK.]
https://www.tenforums.com/performance-maintenance/114874-high-cpu-usage-windows-defender-4.html#post1432496

I removed all the exclusions in Defender. Defender's CPU usage still spikes when browsing with Nightly but Defender does not affect the performance as much as before.

Antimalware Client Version: 4.18.1807.18075
Engine Version: 1.1.15100.1
Antivirus Version: 1.273.1208.0
Antispyware Version: 1.273.1208.0
OH MY GOD,

I can't believe how fast my Laptop is right now after uninstalling "Microsoft Security Essentials" and installing "Avast" antivirus on my "Windows 7 Professional x 64 bit"!

I really still can't believe that "Microsoft Security Essentials" was the culprit for my Laptop slowness for over 1 to 2 months! (problem started from June!)

I was already thinking that my relatively new purchased Laptop was already malfunctioning and I was already thinking on replacing it!

Shame on you Micro$oft, 2 MONTHS ? 2 MONTHS and you still didn't fix this bug yet?

I am\was a 8 years "Microsoft Security Essentials" user, but "This Is It", I will never ever use it again! NEVER EVER!
One user reports this happening whenever prefs.js is altered which occurs almost every page load when sync is enabled due to services.sync.globalScore changing between 0-4. Disabling sync, using a private window or whitelisting prefs.js in Windows Defender avoids the problem.

https://www.reddit.com/r/firefox/comments/97ye1k/windows_defender_makes_firefox_virtually_unusable/e4c8pms/
Flags: needinfo?(dolske)
This problem happens on Windows 8.1 as well, I had to add Firefox to excluded processes to avoid the 30% CPU usage from MsMpEng whenever I did an action on Firefox (adding the prefs.js file to exclusions dind't work for me).

Problem reported back in february, we're midway into august and the problem is still happening.

Why is Firefox having so much bad luck lately? first chrome-only pages, next youtube slowing it down and now Microsoft slowing it down as well...
(In reply to Fanolian from comment #51)
> I fixed the issue, for now, by deleting some Windows Defender database files
> as mentioned in this thread:
> 
> [MODIFYING SYSTEM FILES. DO IT AT YOUR OWN RISK.]
> https://www.tenforums.com/performance-maintenance/114874-high-cpu-usage-
> windows-defender-4.html#post1432496

This worked for me too. I killed the msmpeng.exe process with process hacker, deleted all three mpenginedb.db files from the folder C:\ProgramData\Microsoft\Microsoft Antimalware\Scans, restarted the process, and it was happy. Yes, it automatically re-created the files at a much smaller size. The main db file was 114MB before deleting, now is 4KB. I haven't noticed any negative consequences resulting from deleting these files so far.

Before deleting those files, msmpeng.exe would consistently drain 8% cpu when browser was open and in foreground. Now it spikes to 1% briefly only when a page is loading, then returns to idle. Sounds like it's back to normal.
Flags: needinfo?(dolske)
Should we contact Microsoft about this problem or is there a workaround we could employ?
Flags: needinfo?(jmathies)
I wound up disabling Windows Defender via the registry, because it was making my dual-Xeon workstation unusable. :-/
I don't see the etilqs files or high IO activity reported previously which may have been fixed by 1.1.15100.

I tried reproducing comment 53 myself but could only see small 3% MsMpEng spikes when changing prefs.js, not the "15% of my CPU for 4 or so seconds" which was claimed. However I do see this kind of behavior when loading websites.

I reloaded youtube.com six times with Ctrl+F5 on Firefox, Edge and Chrome, visualizing MsMpEng performance with Process Explorer. Firefox produces consistent 15% CPU spikes while the others only around 3%. I tried looking for a regression on the Firefox side but the behavior was the same going back to 2014. Excluding the process "firefox.exe" from Windows Defender avoids any CPU usage.

Testing was done on a new Windows 10 1803 installation running in a VM (1 CPU @ 3GHz) with default Windows Defender settings.

Antimalware Client Version: 4.18.1807.18075
Engine Version: 1.1.15100.1
Antivirus Version: 1.273.1723.0
Antispyware Version: 1.273.1723.0
(In reply to Kestrel from comment #58)
> I reloaded youtube.com six times with Ctrl+F5 on Firefox, Edge and Chrome,
> visualizing MsMpEng performance with Process Explorer. Firefox produces
> consistent 15% CPU spikes while the others only around 3%. 

Can you please try to disable the disk cache in 'about:config' with browser.cache.disk.enable switched to false and let us know?  Thanks.
Flags: needinfo?(ke5trel)
With browser.cache.disk.enable = false, MsMpEng is around 3% CPU with the same test case, similar to other browsers (also observed in comment 53 with private windows). Excluding the profile's cache folder in Windows Defender has a similar effect.

Using Process Monitor to count MsMpEng events for 30 seconds after reloading youtube.com (Ctrl+F5) I get the following (numbers are very rough):

Firefox (disk cache on): 1300 total events, 800 cache events, 50 files, 3MB
Firefox (disk cache off): 300 total events, 0 cache events, 0 files, 0MB
Chrome: 500 total events, 90 cache events, 10 files, 2MB
Edge: 400 total events, 0 cache events (800 ignored), 45 files, 7MB

A large number of cache events requires MsMpEng to do more work. Chrome has fewer cache events and writes fewer files to disk while Edge is excluding cache files from real-time scanning (and treats them as protected OS files).
Flags: needinfo?(ke5trel)
(In reply to Kestrel from comment #61)

Thanks!  These are very interesting numbers and findings.

Can you please define what exactly a "cache event" means?

The other interesting bit about Edge treating the cache files as protected files, how exactly have you determined that and where does the storage resides for you on disk?
(In reply to Marco Castelluccio [:marco] from comment #56)
> Should we contact Microsoft about this problem or is there a workaround we
> could employ?

Seems like a good place to start would be to post to the Microsoft list. We shouldn't be getting dragged down by Microsoft's any-malware activities.
Flags: needinfo?(jmathies)
Kestrel, please see comment 62.  Thanks.
Flags: needinfo?(ke5trel)
I see we already contacted Microsoft, I've contacted them again to make them aware that the problem persists for some users.
Microsoft suggested to send feedback directly to them through the feedback hub, with these steps:
1. When submitting new feedback for Windows Defender, please be sure you file a ‘Problem’ (not suggestion);
2. Pick "Category: ’Security and Privacy’" and "Subcategory:’Windows Defender Antivirus’";
3. After summarizing and giving verbose details, press "Recreate my problem". Make sure you check "Include Data about' Windows Defender Antivirus (Default) and press "Start Capture" to start collecting logs/traces;
4. Reproduce your scenario that causes the issue;
5. Once you are done reproducing the issue, go back to the Feedback app and click the ‘Stop Capture' link;;
6. And of course submit you the feedback to finalize the process!

After this, you should receive an email with a feedback ID. If you send it to me I will send it directly to Microsoft to speed up the investigation.
Assignee: nobody → honzab.moz

Sorry, I'm constantly not getting to this; releasing for anyone else to take over.

Assignee: honzab.moz → nobody
Flags: needinfo?(ke5trel)
Whiteboard: [qf]

Marco - what has happened with Microsoft here? Do you know if it's still happening; if so can you guess how common it is?

Flags: needinfo?(mcastelluccio)

Marking this as p2 since any user with an HDD will likely experience real pain from anything that triggers windows defender to be more active.

Whiteboard: [qf] → [qf:p2:resource]

No news. This was the discussion with Microsoft: https://groups.google.com/a/mozilla.com/forum/#!topic/mozilla-microsoft-discuss/r9-o4W7kBMo.
In the last email they sent me (directly, not on that mailing list) they pretty much asked what I said in comment 66.

Flags: needinfo?(mcastelluccio)

Thunderbird also sometimes encounters performance issues with defender - https://mzl.la/2X0xpze

Summary: Antimalware Service Executable very active when using Firefox → Antimalware Service Executable (Windows Defender) very active / high CPU when using Firefox

Still happening today. After a while with Firefox Nightly 80 open the laptop fans start going to max and I check the Task Manager, lo and behold there's Firefox choking the entire CPU and the AntiMalware service CPU usage a little bit higher whenever that is happening. Every single day this annoying thing happens and every single time I have to close Firefox and open it again to stop it. Every single time I have to lose any progress I have just to stop this idiotic nonsense.
I already excluded all the Firefox folders from scans, I also excluded temp folders and cache folders, this is an absolutely horrible experience.
There have been situations where the Firefox was left open overnight and all night long the CPU was hammered and the fans at max speed, the whole night. This deteriorates the laptop lifetime and I don't know how much longer I will be waiting for this to be fixed before just dropping Firefox completely.

Hi, can you follow the steps in https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c66 and report the feedback ID? We can try to nudge Microsoft to look into it perhaps.

There's nothing actionable in Firefox itself here, unfortunately.

Flags: needinfo?(particlecore)
You need to log in before you can comment on or make changes to this bug.