Microsoft Defender Antivirus provides always-on, real-time protection, and on-demand antivirus scans on files to protect environments from malicious entities. However, there are times that scans can take a while to complete due to various factors such as environment configurations, longer processes, or unknown files.
IT admins, developers, and other users need visibility into the impact of these scans so they can troubleshoot, assess, and address any performance issues.
We are excited to announce performance analyzer for Microsoft Defender Antivirus (available with the Defender platform update 418.2108.7+). This new PowerShell command-line tool assists in the collection of performance recordings on an individual endpoint and reports information for top scans, processes, files, and file extensions most affected by Microsoft Defender Antivirus.
Performance analyzer is simple to use, requires no installations, and focuses specifically on Microsoft Defender Antivirus system scan data. This feature provides data in a programmatic, consumable way for admins and other users to easily analyze the results.
To analyze performance, from a Windows PowerShell, run performance analyzer using the cmdlet:
New-MpPerformanceRecording -RecordTo <recording.etl>
As shown in the image below, performance analyzer collects a recording of Microsoft Defender for Antivirus events to be analyzed.
During this time, carry out the tasks that you think may have been causing performance impact so that performance analyzer can record this. When you have finished, Press <Enter> to stop and save the recording per image below.
Once the recording is completed, using the cmdlet,
enables you to view full tabular performance reports that show top files, scans, file extensions, and processes causing highest impact.
Image caption: Parameters for cmdlet Get-MpPerformanceReport
Based on the specified parameters, the report includes data sorted by count, duration, and path.
Image caption: Preview of report forTop 10 files that impact scan time.
You can use nested grouping to get a more detailed report.
For example: Get-MpPerformanceReport -Path <recording.etl> -TopProcesses: 3 -TopScansPerProcess: 5 will display a report of top 3 processes that impact scan time and the top 5 scans associated with each.
Image caption: Preview of report for top 3 processes that impact scan time and the top 5 scans associated with each
You can also use multiple queries:
Get-MpPerformanceReport -Path <recording.etl> -TopExtensions: 10 -TopProcesses:3 -TopScansPerProcess:5
Image caption: Preview of report for top 10 extensions, top 3 processes, and top scans per process that impact scan time
You can also report only on top scans that have a certain minimum duration. In the image below, the report displays a sample preview of the top 100 scans that took a minimum of 100 ms.
You can also export and convert the results of the analyzer to a CSV file. The following are sample examples.
To export to CSV:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000 -MinDuration:30ms).TopScans | Export-Csv -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation
To convert to CSV:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000).TopScans | ConvertTo-Csv -NoTypeInformation
To convert to JSON:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1
For more information, see Performance analyzer for Microsoft Defender Antivirus.
Requirements and availability:
Availability: Early September with release of the Defender August Platform version
Defender Platform version: 4.18.2108.7+
Supported OS versions: Windows 10+ and Windows Server 2016+
PowerShell version: PowerShell version 5.1
We’re excited to offer you this new tool to assess performance related to Microsoft Defender Antivirus. We welcome your questions and feedback in the comments!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.