Announcing performance analyzer for Microsoft Defender Antivirus

Published Sep 07 2021 08:34 AM 9,600 Views
Microsoft

Microsoft Defender Antivirus provides always-on, real-time protection, and on-demand antivirus scans on files to protect environments from malicious entities. However, there are times that scans can take a while to complete due to various factors such as environment configurations, longer processes, or unknown files.

 

IT admins, developers, and other users need visibility into the impact of these scans so they can troubleshoot, assess, and address any performance issues.

 

We are excited to announce performance analyzer for Microsoft Defender Antivirus (available with the Defender platform update 418.2108.7+). This new PowerShell command-line tool assists in the collection of performance recordings on an individual endpoint and reports information for top scans, processes, files, and file extensions most affected by Microsoft Defender Antivirus.

 

Performance analyzer is simple to use, requires no installations, and focuses specifically on Microsoft Defender Antivirus system scan data. This feature provides data in a programmatic, consumable way for admins and other users to easily analyze the results.

 

How it works

 

To analyze performance, from a Windows PowerShell, run performance analyzer using the cmdlet:

 

 

 

 

New-MpPerformanceRecording -RecordTo <recording.etl>

 

 

 

 

 

 As shown in the image below, performance analyzer collects a recording of Microsoft Defender for Antivirus events to be analyzed.

marysia_k_9-1630620531445.png

 

During this time, carry out the tasks that you think may have been causing performance impact so that performance analyzer can record this. When you have finished, Press <Enter> to stop and save the recording per image below.

marysia_k_10-1630620531457.png

 

Once the recording is completed, using the cmdlet,

 

 

 

 

Get-MpPerformanceReport 

 

 

 

 

enables you to view full tabular performance reports that show top files, scans, file extensions, and processes causing highest impact.

 

marysia_k_11-1630620531462.png

Image caption: Parameters for cmdlet Get-MpPerformanceReport

 

 Based on the specified parameters, the report includes data sorted by count, duration, and path.

marysia_k_12-1630620531475.png

Image caption: Preview of report forTop 10 files that impact scan time. 

 

You can use nested grouping to get a more detailed report.

For example: Get-MpPerformanceReport -Path <recording.etl> -TopProcesses: 3 -TopScansPerProcess: 5 will display a report of top 3 processes that impact scan time and the top 5 scans associated with each.

marysia_k_13-1630620531487.png

Image caption: Preview of report for top 3 processes that impact scan time and the top 5 scans associated with each

 

You can also use multiple queries:

Get-MpPerformanceReport -Path <recording.etl>  -TopExtensions: 10  -TopProcesses:3 -TopScansPerProcess:5

marysia_k_14-1630620531496.pngImage caption: Preview of report for top 10 extensions, top 3 processes, and top scans per process that impact scan time

 

Other functionalities

 

Using -MinDuration Parameter:

You can also report only on top scans that have a certain minimum duration. In the image below, the report displays a sample preview of the top 100 scans that took a minimum of 100 ms.

marysia_k_15-1630620531499.png

 

Exporting & Converting to CSV and JSON:

You can also export and convert the results of the analyzer to a CSV file. The following are sample examples. 

 

To export to CSV:

 

 

 

 

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000 -MinDuration:30ms).TopScans | Export-Csv -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation

 

 

 

 

 

To convert to CSV:

 

 

 

 

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000).TopScans | ConvertTo-Csv -NoTypeInformation

 

 

 

 

 

To convert to JSON:

 

 

 

 

(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1

 

 

 

 

 

For more information, see Performance analyzer for Microsoft Defender Antivirus.

 

Requirements and availability: 

 

Availability: Early September with release of the Defender August Platform version

Defender Platform version: 4.18.2108.7+

Supported OS versions: Windows 10+ and Windows Server 2016+

PowerShell version:  PowerShell version 5.1

 

We’re excited to offer you this new tool to assess performance related to Microsoft Defender Antivirus. We welcome your questions and feedback in the comments!

 

9 Comments
Occasional Contributor

Hello,

This looks like a great tool!  

will there be a session on defender in the future including this tool, eg a demo, how to analyse the results and how to action them? 

 

How would we securely make exceptions based on this data? Eg will exceptions be able to be more fine grained in the format wdac/applocker does them in the future?  I’d much rather do certificate combined with path and vendor etc than a straight up process name or folder.  These are easily read and abused.  

will you be able to apply different scan types based on the exception, eg write only or read only.  This could be used to mitigate performance issues for developers for example without fully allowing a process.  

lastly will this be able to initiate this from defender for endpoint and get a result from the Interface?  Looking after 10k plus clients getting these results can be time consuming. 

Again thank you!  Great progress. 

Microsoft

@mbhmirc Hi! Thank you for your feedback. We will note it for future consideration of the product. We do not currently have a demo session planned or specific exclusion guidance, but we can look into some options. We will update when more details are ready. 

Occasional Visitor

Does it also capture if the device have the latest defender version.

Occasional Contributor

Now all we need now is to have this to be part of Endpoint Analytics.

Senior Member

Hi Marysia, looks good! Is there any chance to present performance output in graph? Maybe some kind of charts in InTune console in the near future? Cheers.

Microsoft

@Sachin_galagali2025 the performance analyzer does not provide information to the user whether they are using the latest defender version 

Microsoft

@Przem0  At the moment there is no such option. Thank you for your feedback on this. 

Senior Member

@marysia_k 

 

Hi I have tried running the commands and it errors.


I get the below problem.  I've got an application on the server that is 'playing up'.  We THINK it's Defender causing the issues, but need to check.

 

Please help.

 

Thank you

 

Kind Regards

 

Tha_Dude_0-1632480133352.png

 

Microsoft

@Tha_Dude  When running a recording, if you get the error "Cannot start performance recording because Windows Performance Recorder is already recording", please run the following command to stop the existing trace with the new command: wpr -cancel -instancename MSFT_MpPerformanceRecording. We are aware of this bug and working on a fix. We have also documented this command here:Performance analyzer for Microsoft Defender Antivirus | Microsoft Docs

%3CLINGO-SUB%20id%3D%22lingo-sub-2731119%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731119%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EThis%20looks%20like%20a%20great%20tool!%20%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3Ewill%20there%20be%20a%20session%20on%20defender%20in%20the%20future%20including%20this%20tool%2C%20eg%20a%20demo%2C%20how%20to%20analyse%20the%20results%20and%20how%20to%20action%20them%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20would%20we%20securely%20make%20exceptions%20based%20on%20this%20data%3F%20Eg%20will%20exceptions%20be%20able%20to%20be%20more%20fine%20grained%20in%20the%20format%20wdac%2Fapplocker%20does%20them%20in%20the%20future%3F%20%26nbsp%3BI%E2%80%99d%20much%20rather%20do%20certificate%20combined%20with%20path%20and%20vendor%20etc%20than%20a%20straight%20up%20process%20name%20or%20folder.%20%26nbsp%3BThese%20are%20easily%20read%20and%20abused.%20%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3Ewill%20you%20be%20able%20to%20apply%20different%20scan%20types%20based%20on%20the%20exception%2C%20eg%20write%20only%20or%20read%20only.%20%26nbsp%3BThis%20could%20be%20used%20to%20mitigate%20performance%20issues%20for%20developers%20for%20example%20without%20fully%20allowing%20a%20process.%20%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3Elastly%20will%20this%20be%20able%20to%20initiate%20this%20from%20defender%20for%20endpoint%20and%20get%20a%20result%20from%20the%20Interface%3F%20%26nbsp%3BLooking%20after%2010k%20plus%20clients%20getting%20these%20results%20can%20be%20time%20consuming.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EAgain%20thank%20you!%20%26nbsp%3BGreat%20progress.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2737238%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2737238%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305905%22%20target%3D%22_blank%22%3E%40mbhmirc%3C%2FA%3E%26nbsp%3BHi!%20Thank%20you%20for%20your%20feedback.%20We%20will%20note%20it%20for%20future%20consideration%20of%20the%20product.%20We%20do%20not%20currently%20have%20a%20demo%20session%20planned%20or%20specific%20exclusion%20guidance%2C%20but%20we%20can%20look%20into%20some%20options.%20We%20will%20update%20when%20more%20details%20are%20ready.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2744568%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2744568%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20it%20also%20capture%20if%20the%20device%20have%20the%20latest%20defender%20version.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2713911%22%20slang%3D%22en-US%22%3EAnnouncing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2713911%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Defender%20Antivirus%20provides%20always-on%2C%20real-time%20protection%2C%20and%20on-demand%20antivirus%20scans%20on%20files%20to%20protect%20environments%20from%20malicious%20entities.%20However%2C%20there%20are%20times%20that%20scans%20can%20take%20a%20while%20to%20complete%20due%20to%20various%20factors%20such%20as%20environment%20configurations%2C%20longer%20processes%2C%20or%20unknown%20files.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIT%20admins%2C%20developers%2C%20and%20other%20users%20need%20visibility%20into%20the%20impact%20of%20these%20scans%20so%20they%20can%20troubleshoot%2C%20assess%2C%20and%20address%20any%20performance%20issues.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWe%20are%20excited%20to%20announce%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%20(available%20with%20the%20Defender%20platform%20update%20418.2108.7%2B).%20This%20new%20PowerShell%20command-line%20tool%20assists%20in%20the%20collection%20of%20performance%20recordings%20on%20an%20individual%20endpoint%20and%20reports%20information%20for%20top%20scans%2C%20processes%2C%20files%2C%20and%20file%20extensions%20most%20affected%20by%20Microsoft%20Defender%20Antivirus.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ftune-performance-defender-antivirus%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EPerformance%20analyzer%3C%2FA%3E%20is%20simple%20to%20use%2C%20requires%20no%20installations%2C%20and%20focuses%20specifically%20on%20Microsoft%20Defender%20Antivirus%20system%20scan%20data.%20This%20feature%20provides%20data%20in%20a%20programmatic%2C%20consumable%20way%20for%20admins%20and%20other%20users%20to%20easily%20analyze%20the%20results.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--356166222%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%20id%3D%22toc-hId--355072539%22%3E%3CSTRONG%3EHow%20it%20works%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20analyze%20performance%2C%20from%20a%20Windows%20PowerShell%2C%20run%20performance%20analyzer%20using%20the%20cmdlet%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ENew-MpPerformanceRecording%20-RecordTo%20%3CRECORDING.ETL%3E%3C%2FRECORDING.ETL%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3BAs%20shown%20in%20the%20image%20below%2C%20performance%20analyzer%20collects%20a%20recording%20of%20Microsoft%20Defender%20for%20Antivirus%20events%20to%20be%20analyzed.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_9-1630620531445.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307777i92722FCE1262B48B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_9-1630620531445.png%22%20alt%3D%22marysia_k_9-1630620531445.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDuring%20this%20time%2C%20carry%20out%20the%20tasks%20that%20you%20think%20may%20have%20been%20causing%20performance%20impact%20so%20that%20performance%20analyzer%20can%20record%20this.%20When%20you%20have%20finished%2C%20Press%20%3CSTRONG%3E%3CENTER%3E%3C%2FENTER%3E%3C%2FSTRONG%3E%20to%20stop%20and%20save%20the%20recording%20per%20image%20below.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_10-1630620531457.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307779i51CA542C95A141D1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_10-1630620531457.png%22%20alt%3D%22marysia_k_10-1630620531457.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20recording%20is%20completed%2C%20using%20the%20cmdlet%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-MpPerformanceReport%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eenables%20you%20to%20view%20full%20tabular%20performance%20reports%20that%20show%20top%20files%2C%20scans%2C%20file%20extensions%2C%20and%20processes%20causing%20highest%20impact.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_11-1630620531462.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307778i0C0F8A826ABB6A79%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_11-1630620531462.png%22%20alt%3D%22marysia_k_11-1630620531462.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EImage%20caption%3A%3C%2FSTRONG%3E%20Parameters%20for%20cmdlet%20Get-MpPerformanceReport%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3BBased%20on%20the%20specified%20parameters%2C%20the%20report%20includes%20data%20sorted%20by%20count%2C%20duration%2C%20and%20path.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_12-1630620531475.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307781i21DD58CF9D008E1E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_12-1630620531475.png%22%20alt%3D%22marysia_k_12-1630620531475.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EImage%20caption%3A%3C%2FSTRONG%3E%26nbsp%3BPreview%20of%20report%20forTop%2010%20files%20that%20impact%20scan%20time.%26nbsp%3B%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20nested%20grouping%20to%20get%20a%20more%20detailed%20report.%3C%2FP%3E%0A%3CP%3EFor%20example%3A%20%3CEM%3EGet-MpPerformanceReport%20-Path%20%3CRECORDING.ETL%3E%20-TopProcesses%3A%203%20-TopScansPerProcess%3A%205%26nbsp%3B%3C%2FRECORDING.ETL%3E%3C%2FEM%3Ewill%26nbsp%3Bdisplay%20a%20report%20of%20top%203%20processes%20that%20impact%20scan%20time%20and%20the%20top%205%20scans%20associated%20with%20each.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_13-1630620531487.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307782i3D6B9EC10ABFCB81%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_13-1630620531487.png%22%20alt%3D%22marysia_k_13-1630620531487.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EImage%20caption%3A%3C%2FSTRONG%3E%26nbsp%3BPreview%20of%20report%20for%20top%203%20processes%20that%20impact%20scan%20time%20and%20the%20top%205%20scans%20associated%20with%20each%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20multiple%20queries%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3EG%3C%2FEM%3E%3CEM%3Eet-MpPerformanceReport%20-Path%20%3CRECORDING.ETL%3E%26nbsp%3B%20-TopExtensions%3A%2010%26nbsp%3B%20-TopProcesses%3A3%20-TopScansPerProcess%3A5%3C%2FRECORDING.ETL%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_14-1630620531496.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307783i642B3E792FA50F24%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_14-1630620531496.png%22%20alt%3D%22marysia_k_14-1630620531496.png%22%20%2F%3E%3C%2FSPAN%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3EImage%20caption%3A%3C%2FSTRONG%3E%26nbsp%3BPreview%20of%20report%20for%20top%2010%20extensions%2C%20top%203%20processes%2C%20and%20top%20scans%20per%20process%20that%20impact%20scan%20time%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2131346611%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%20id%3D%22toc-hId-2132440294%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-323892148%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%20id%3D%22toc-hId-324985831%22%3E%3CSTRONG%3EOther%20functionalities%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH6%20id%3D%22toc-hId--81433159%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%20id%3D%22toc-hId--80339476%22%3E%3CFONT%20size%3D%224%22%3EUsing%20-MinDuration%20Parameter%3A%3C%2FFONT%3E%3C%2FH6%3E%0A%3CP%3EYou%20can%20also%20report%20only%20on%20top%20scans%20that%20have%20a%20certain%20minimum%20duration.%20In%20the%20image%20below%2C%20the%20report%20displays%20a%20sample%20preview%20of%20the%20top%20100%20scans%20that%20took%20a%20minimum%20of%20100%20ms.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marysia_k_15-1630620531499.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307784i27F8848CAA42C512%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22marysia_k_15-1630620531499.png%22%20alt%3D%22marysia_k_15-1630620531499.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH6%20id%3D%22toc-hId--1888887622%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%20id%3D%22toc-hId--1887793939%22%3E%3CFONT%20size%3D%224%22%3EExporting%20%26amp%3B%20Converting%20to%20CSV%20and%20JSON%3A%3C%2FFONT%3E%3C%2FH6%3E%0A%3CP%3EYou%20can%20also%20export%20and%20convert%20the%20results%20of%20the%20analyzer%20to%20a%20CSV%20file.%20The%20following%20are%20sample%20examples.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETo%20export%20to%20CSV%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E(Get-MpPerformanceReport%20-Path%3A.%5CRepro-Install.etl%20-TopScans%3A1000%20-MinDuration%3A30ms).TopScans%20%7C%20Export-Csv%20-Path%3A.%5CRepro-Install-Scans.csv%20-Encoding%3AUTF8%20-NoTypeInformation%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETo%20convert%20to%20CSV%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E(Get-MpPerformanceReport%20-Path%3A.%5CRepro-Install.etl%20-TopScans%3A1000).TopScans%20%7C%20ConvertTo-Csv%20-NoTypeInformation%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETo%20convert%20to%20JSON%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E(Get-MpPerformanceReport%20-Path%3A.%5CRepro-Install.etl%20-Topscans%3A1000).%20TopScans%20%7C%20ConvertTo-Json%20-Depth%3A1%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EFor%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ftune-performance-defender-antivirus%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EPerformance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FSTRONG%3E%3C%2FA%3E.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3ERequirements%20and%20availability%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAvailability%3A%20%3C%2FSTRONG%3EEarly%20September%20with%20release%20of%20the%20Defender%20August%20Platform%20version%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDefender%20Platform%20version%3A%20%3C%2FSTRONG%3E4.18.2108.7%2B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESupported%20OS%20versions%3A%20%3C%2FSTRONG%3EWindows%2010%2B%20and%20Windows%20Server%202016%2B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPowerShell%20version%3A%20%3C%2FSTRONG%3E%26nbsp%3BPowerShell%20version%205.1%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20excited%20to%20offer%20you%20this%20new%20tool%20to%20assess%20performance%20related%20to%20Microsoft%20Defender%20Antivirus.%20We%20welcome%20your%20questions%20and%20feedback%20in%20the%20comments!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2713911%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307761iBE1EDB7369F35803%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPerformance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%20helps%20users%20understand%20what%20files%2C%20file%20extensions%2C%20or%20processes%26nbsp%3B%20might%20be%20causing%20performance%20issues%20on%20individual%20endpoints.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2748430%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2748430%22%20slang%3D%22en-US%22%3E%3CP%3ENow%20all%20we%20need%20now%20is%20to%20have%20this%20to%20be%20part%20of%20Endpoint%20Analytics.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2755720%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2755720%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Marysia%2C%20looks%20good!%20Is%20there%20any%20chance%20to%20present%20performance%20output%20in%20graph%3F%20Maybe%20some%20kind%20of%20charts%20in%20InTune%20console%20in%20the%20near%20future%3F%20Cheers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2757982%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2757982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1153889%22%20target%3D%22_blank%22%3E%40Sachin_galagali2025%3C%2FA%3E%26nbsp%3Bthe%20performance%20analyzer%20does%20not%20provide%20information%20to%20the%20user%20whether%20they%20are%20using%20the%20latest%20defender%20version%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2757990%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2757990%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F420071%22%20target%3D%22_blank%22%3E%40Przem0%3C%2FA%3E%26nbsp%3B%20At%20the%20moment%20there%20is%20no%20such%20option.%20Thank%20you%20for%20your%20feedback%20on%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2781466%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2781466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1019714%22%20target%3D%22_blank%22%3E%40marysia_k%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20I%20have%20tried%20running%20the%20commands%20and%20it%20errors.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20get%20the%20below%20problem.%26nbsp%3B%20I've%20got%20an%20application%20on%20the%20server%20that%20is%20'playing%20up'.%26nbsp%3B%20We%20THINK%20it's%20Defender%20causing%20the%20issues%2C%20but%20need%20to%20check.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tha_Dude_0-1632480133352.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F312632i12F1EEE9575B04CE%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Tha_Dude_0-1632480133352.png%22%20alt%3D%22Tha_Dude_0-1632480133352.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2792460%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20performance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2792460%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F457817%22%20target%3D%22_blank%22%3E%40Tha_Dude%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CSPAN%3EWhen%20running%20a%20recording%2C%20if%20you%20get%20the%20error%20%22Cannot%20start%20performance%20recording%20because%20Windows%20Performance%20Recorder%20is%20already%20recording%22%2C%20please%20run%20the%20following%20command%20to%20stop%20the%20existing%20trace%20with%20the%20new%20command%3A%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ewpr%20-cancel%20-instancename%20MSFT_MpPerformanceRecording.%20%3C%2FSTRONG%3EWe%20are%20aware%20of%20this%20bug%20and%20working%20on%20a%20fix.%20We%20have%20also%20documented%20this%20command%20here%3A%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ftune-performance-defender-antivirus%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPerformance%20analyzer%20for%20Microsoft%20Defender%20Antivirus%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Sep 13 2021 12:07 PM
Updated by:
www.000webhost.com