TL;DR: Windows Defender had a bug that made certain system calls expensive on CPU cycles when Defender's Real-time Protection feature is enabled. After discovery, Mozilla reported this issue to Microsoft. Microsoft is releasing a patch that should result in lower CPU usage when using Firefox on sites like YouTube (a ~75% CPU usage reduction was noted when browsing YouTube in Firefox with the fixed version of Defender).
It seems like the HN submission form truncated the # from the end of the URL I linked to, which linked to the relevant comment. I'll try that here:
It's not just mozilla, been working defender issues for the last few years on thousands of windows vm's. Mostly due to the enabling the more intensive heuristic real time engine and they have different code bases depending on versions installed on different windows builds, and patching does seem to trigger it. For months we had issues where we couldnt log into some vm's due to high cpu for defender, and had to bounce the vm and apply a temp defender fix.
I think its a growing issue, as they mature/migrate their older code base, issues become less frequent.
I have malwarebytes premium and defender CPU usage is nearly 100% at times bringin Firefox to a halt. Chrome works fine..I've been blaming Firefox so far.
In my experience (as a former Firefox dev), antivirus / antimalware software are really poorly behaved. They tend to:
- require admin rights (which means that if they have vulnerabilities, it can take control of the entire machine, even if Firefox itself is sanboxed);
- monkey-patch the Firefox executable in memory, which works (when it does) as long as the version of the software tracks closely the version of Firefox, which may or may not be the case;
- ... and also decreases the memory-safety of Firefox, which makes it easier to pwn;
- ... and also makes the crash reports unreliable;
- install encryption certificates that are actually less trustworthy than Mozilla's, hence decreasing the security of https;
- block Firefox and add-on security updates, also decreasing security;
- install privileged add-ons, many of which are easy to exploit from any webpage;
- ...
Part of the work on Crash Scene Investigations was attempting to determine whether the crash was in Firefox or in code or in some bogus foreign code. Depressingly often, it was the latter.
In your case, it's entirely possible that malwarebytes was simply untested on Firefox.
> - monkey-patch the Firefox executable in memory, which works (when it does) as long as the version of the software tracks closely the version of Firefox, which may or may not be the case;
This one was a frustratingly common cause of crashes when I worked in gamedev. So many crashes would end up being some overlay or antivirus monkeying about with memory.
> Part of the work on Crash Scene Investigations was attempting to determine whether the crash was in Firefox or in code or in some bogus foreign code. Depressingly often, it was the latter.
A shockingly large number of crashes and performance issues in PC gaming are related to poorly behaved overlay programs and overclocking tools like RivaTuner, Overwolf, and the Discord Overlay. I'd well believe your points.
Yes, in general on Windows processes with higher privilege levels can get access to read/write another processes memory, or even inject code into them. And even Admin-level processes can still be broken into by something running as a service with even more elevated privileges like NT AUTHORITY\SYSTEM.
This has long been a leaky part of Windows security. If your malware can get its code running inside a highly privileged service or process, it can do more or less whatever it wants to the rest of the system. But even when not used for nefarious purposes, it is still an extremely dangerous capability in that it can be very easy to create problems .
By default, any application's memory can be read and written to by other processes running as the same user, as far as I know. The way to deal with this is to set process security descriptors, but admin can still bypass this. There are protected processes, and protected processes light, but those are not used by most software (mainly anti-malware afaik.)
Although that was definitely the intent, I actually don't know about specific things that use it. I'd love to hear what actually uses it. (I don't think Widevine l3 does, for example.)
This is wrong, on Windows there are system calls to access memory of other process and on Linux you can do it using debugging. Also on Windows there is a tradition to inject libraries into other processes, create threads in processes etc.
On Linux, ptrace permissions can be restricted [0] and some distributions do this by default.
Whether this provides any meaningful security is questionable unless you pair it with filesystem isolation to prevent malicious programs from modifying config files / bashrc / etc. Meanwhile it does make legit uses of ptrace more annoying.
> - install encryption certificates that are actually less trustworthy than Mozilla's, hence decreasing the security of https;
Given that in many industries insurances and, in some cases like banking, the law requires companies to monitor HTTPS traffic of browsers for compliance, it might be better if browsers had a dedicated filter / monitor API.
Why would Microsoft need to put a NSA backdoor specifically into Defender when it could put it anywhere else into Windows with their monthly patch? It doesn't make sense to single out Defender.
The same is valid for Apple, Google, and every other US company.
Pretty sure Defender is one of the few anti malware/edr that doesn’t need to do this, because it’s so tied to the platform. 3rd party antimalware and EDR are much more likely to inject hooks and dlls into other processes
I am on Windows 10, Malwarebytes premium and using Firefox Nightly on Youtube right now and it is using miniscule CPU and has so for a long time. On a i7 4790k desktop machine.
Firefox itself is at 4-5% and the whole machine is at 14%
Though it's possible they use different code injection tricks to make blocking impossible. (You can't block Defender from listening to events for example)
I'm curious how much excess energy has been consumed, and won't be consumed any longer, as a result of this improvement - even just limited to reduced CPU usage on Windows machines using Firefox to watch Youtube.
I love thinking about the impacts of tiny improvements at scale like this, might do some napkin math on it later and see if I can come up with something in the right order of magnitude.
Running lights during daytime seems to reduce crashes by about 5-10%, and crashes consume a lot of energy. Depending on crash severity there's at a minimum the wasted time for all involved parties and frequently the necessity for repairs (including the production of replacement parts, paint etc), and at the high end the involvement of emergency personnel and their vehicles, hospital beds, doctors, the production of entire new cars as replacement for totaled ones, etc.
I'm not so sure that running lights isn't a net positive, especially with the introduction of LED lights.
Note that this issue is not exclusive to MS Defender, but likely all Windows AV products to varying degrees:
> > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too.
> > So, you should also test them.
> It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.
I've seen some really weird performance behavior from Defender and I just keep it disabled on my desktop device now. I'm not surprised to see it affecting Firefox like this. Defender's dropped all the way to the bottom of the list in effectiveness anyway, so I don't feel it's a big loss.
Because once a corporation grows larger than some singularity threshold, there seems to be a bug event horizon where all bug reports just disappear.
Send a bug report to a five-person software company, their lead dev contacts you the same day and has a patched version ready to go in a week. Send a bug report to Microsoft / Citrix / Apple / etc, and you'll never hear back.
My understanding is that until recently (January), V8 (inside Chrome & Edge) made a similar number of calls. The main use is making it so that JIT-generated code is not writable while it is executing. It's an important security measure. V8 switched to a more recent mechanism (memory protection keys) that have been gradually getting support from the various OSes. But IIUC, they switched off the mprotect/VirtualProtect calls unconditionally, and added in the protection key stuff only where supported, which suggests that they left some configurations without any protection at all. SpiderMonkey (in Firefox) has not yet switched to the cheaper mechanism.
My comment was only intended to add missing information to the TLDR (since this fact is important in the linked thread) not to say that Firefox is at fault.
Now that you raised it however, even if the system call used to be fast, Firefox is making an extremely high number of calls to that sytem call, and there's always going to be some overhead to that. There are almost certainly ways that Firefox could reduce the number of calls it needs to make.
> a ~75% CPU usage reduction was noted when browsing YouTube in Firefox
I wonder how many of the people who say "Firefox is significantly slower than chrome" are using windows... On my computer, Firefox IS slower than chrome but (with ad blockers enabled) by an insignificant amount. By still being "the last remaining mostly independent, maintained and reasonably popular browser" I'd prefer it to use over chrome even if it is a bit slower.
Of course, ms is no longer the "old micro$oft" but their history on how they handle competitor browsers makes one think how much interest they could have in investigating and fixing such a bug.
My takeaway is: prefer independent software as much as you can.
I have suspicion that lots of the "chrome is faster" is because devs optimise for chrome. More unique and "new" the API is the bigger the difference. Webgl is probably pretty different between browsers but nobody will bother to even look at webgl project in Firefox. It's pretty remarkable that such complex code can run pretty well in multiple different browsers.
Another example Chrome has rel=prerender support and some libraries use it to make loading pages faster. Safari and Firefox don't support it. But it's progressive enhancement so why not use it. Result is that Chrome seems faster. There are probably many ways to make things faster on the other side but nobody will bother.
I have definitely noticed my laptop fans spinning up whenever I do Youtube on Firefox on Windows. I just figured the GPU acceleration was broken, but this makes sense. Certainly not the first time Windows Defender has consumed extraordinary amounts of system resources for simple tasks.
I've noticed that AWS Console will spin up the fans on my MBP running Firefox, specifically on the EC2 screen. None of the other Console screens spin up the fans like that. Viewing about:performance always shows the AWS tab running full tilt to the point I've jokingly assumed they're trying to spin up an instance via WASM ;-)
I’ve noticed Firefox getting unbearably slow when several YouTube tabs were open. Tried toggling HW accel too with no success. Yes, I did blame FF since thorium (the chrome variant I use) doesn’t suffer from the same problem.
I've read that a number of times now, but I have trouble matching it to my perceptions. Can you point to a specific website where you notice that slowness and then describe what action is slower? (Initial load, clicking stuff, scrolling, etc.)
Just as an example, loading jslinux.org for me in Firefox is about twice as fast than in Chrome. That might be a special case of course, because it is a very special type of workload that probably is not common on other websites. But I would love to see concrete examples of the opposite.
Put 10,000 or so event handlers with their own DOM updates on a page. Chrome will run it smoothly (taking up a huge amount of RAM in the process), Firefox won't.
Do you have an example of one with 10,000 event handlers? If the case where Firefox falls isn't real it doesn't matter that other sites suck (not arguing that fact).
For our benchmark suites at work, Firefox and Chrome generally trade back and forth on who's faster. It's not a consistent 'chrome is fastest'. I'm sure there are specific websites where Chrome dominates but I've yet to see any evidence that we're still in the bad old days where Firefox was orders of magnitude slower on important stuff.
Firefox is slower than Chrome if and only if your DNS is not responding as fast. When backed by a performant DNS server, Firefox is generally faster than Chrome.
I guess that means Firefox did faster for those tests. I don't use Chrome or Chromium based browsers in general so I don't know how they compare in "feel".
I obtained 86 on Linux but I am on a very old Dell PC Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz. Firefox has 16 addons and is running in Firejail and CPU reniced.
Just for fun I also ran it on a Windows 11 mini-PC Ryzen 9 6900HX 3.3 GHz with no addons and obtained:
Edge: 291
Firefox: 196
I do not have Chrome installed but I believe Edge may be some fork of Chrome?
Weird - Firefox seems about what I get but Safari and Chrome have always been within ~10% of each other for me on this test with an M1 and M2 (both straddling 450 if I run them right now). Extensions or power save at play maybe?
>I wonder how many of the people who say "Firefox is significantly slower than chrome" are using windows...
I have heard the most complaints from Mac and Linux users on HN and Reddit. Especially with Youtube...
Windows + Firefox is just fine in my experience. After the Quantum upgrade/version. Yes Chromium based Edge and Chrome is a bit faster, Opera and Vivaldi feel slower depending on the number of tabs.
Firefox and Edge handles many tabs the best from a performance perspective on Windows in my experience. Vivaldi is very close.
Anything without vertical tabs is impossible to use with many tabs.
I use windows and firefox for most of my browsing and I can tell you that I have definitely noticed that firefox was struggling really hard on youtube compared to chrome. I wasn't sure if chrome was just that much better or if there was something else going on.
I'm happy this was found and its not clear if this is already patched, but hopefully it will somewhat improve performance on youtube or other sites like it going forward.
It's not just Windows that it's worse on though. It doesn't perform well on macOS either. It's not as bad as it used to be when it had a horrible power draining interaction with display scaling on macOS, but it's still isn't as efficient as Chrome or Safari.
I use all three browsers (FF for personal, Edge for work and on my Surfaces, Chrome on my chromebooks). Edge on Surfaces is the fastest and tbh these days I like Firefox over Chrome in every way, and don't notice a speed difference. I consider myself a power user, for what it's worth.
Windows Defender is a long standing bug in the Windows operating system. ;)
My impression is that its invention was for the sole purpose of eradicating the idea that Windows is insecure and prone to viruses, which explains why it can be overzealous and CPU hungry.
I would only enable it for family members who don't know what they are doing. For some reason, I haven't needed any form of active virus scanning in something like 15 years. If it turns out I've been infected this entire time, the criminals sure are taking their time stealing my money, etc.
There's a misconception that you need to do something "stupid" to get a virus which is simply not the case. 0 days exist, and worms are still a thing (looking at you samba).
A great example is Pytorch just recently had a supply chain attack, and installing the nightly version between December 25th and December 30th, 2022 - would result in your home directory getting uploaded including ssh keys.
EDIT: Also there's a misconception that linux somehow doesn't get viruses - however the Pytorch attack affected linux users. Making a virus for windows gives you far more targets then linux, which is why they're far more common.
There will always be 0 days out there, but they will always be very expensive and rare.
If you have the ressources to buy or find a 0-day, you definetly won't blow it by executing known malware, or other stuff, which falls under the detected by AV's.
I really don't thing that having AV installed will protect any user from a 0-day.
On the other side, you install a very invasive av software, which runs as privileged user and intercepts everything thats happening on your system. They even make a great target for malware by themself. Just recently ClamAV had a bug in it's file scanner, which let to an rce:
CVE-2023-20032
And they're almost exclusively used in targeted attacks against valuable targets, because burning a 0-day to hack grandma's old laptop and steal her facebook password isn't a particularly good investment.
> A great example is Pytorch just recently had a supply chain attack, and installing the nightly version between December 25th and December 30th, 2022 - would result in your home directory getting uploaded including ssh keys.
Do you think Defender would have helped with that? I'm highly doubtful.
What would probably have, is if MS's implementation of protected folders, or whatever it's called, wouldn't have been completely brain-dead.
> EDIT: Also there's a misconception that linux somehow doesn't get viruses - however the Pytorch attack affected linux users. Making a virus for windows gives you far more targets then linux, which is why they're far more common.
That's correct. But at least on Linux, if you're so inclined, you can spend a couple of hours setting up some AppArmor or SELinux profiles to prevent random crap for accessing ~/.ssh and ~/top-secret.
This is true, but the overwhelming majority of malware on non-tech savvy peoples systems are going to be from silly things, like downloading and running a malicious executable, and not from 0 days.
Yes, I have an absolutely pristine record and I have never, ever copy-pasted a script from the internet with sudo, or piped curl into bash because I'm lazy and I trust most github READMEs. Never.
I have literally never done this and do not understand why anyone would.
Installing software to the system should be handled by a package manager, but if you must install something like this, just throw it in a tmpfile and inspect the script before running it.
I know the response to this will be "but the things the script downloads and installs could be malicious", and while this is true, so long as the sources in the install script are fine, I consider this to be a separate issue (but still a big issue).
The issue of trusting source code or binaries is a thing but it doesn't justify copy pasta'ing random scripts in the shell.
Another thing to take note of, there in the past have been bugs in terminal emulators that allowed pasting certain characters that made the text look completely different than what it actually was, so pasting "ls $HOME" could have actually been "rm -rf ~/" for example.
I usually double check before running stuff as sudo, and piping into bash i dont really ever need (AUR). My heart goes out to those on distros where thats the way to distribute software.
This is what makes it so doable since you don't need any privilege escalation.
The reason why this is a big deal for a lot of people is your ssh keys will give you access to your git repos and other servers unless you have them password protected or use gpg/sk ssh keys which I think a lot of people don't do.
And of course if you can see the known hosts file/bash_history you'll likely have access to more servers to propagate to.
Also things like your browser cache is stored there.
Plenty of dangerous things stored in `~/`, they don't even need password for ssh-key if there is ssh-agent running (this is in case of dangerous process running, not just upload).
This is why I store keys on a hardware key that requires me to touch it when used and manually start ssh-agent when doing a lot of `git push`.
It's decent enough in the past 8-10 years that I don't bother with much free antivirus on my own or others' machines in the current year. It's a far cry from the Windows XP / 7 era where it was fucking useless and people got Ransomware or Rogues pretending to be AV's every other Tuesday just from using google images. Nowadays it is simply adequate for most people.
At this point the only other antivirus I bother keeping an install of on my personal system is Malwarebytes free in case things really go tits up and I need to run it and rkill from safe mode.
I think this would describe the majority of computer users. And the majority of computer users are also using Windows.
> I haven't needed any form of active virus scanning in something like 15 years
Microsoft Defender antivirus was released alongside Windows 8 in 2012. And it's essentially a rewrite of Microsoft Security Essentials which came included starting with Vista. If you haven't been explicitly disabling it, which your comment sounds like, you've been running one without knowing it for 16 years
>Microsoft Defender antivirus was released alongside Windows 8 in 2012. And it's essentially a rewrite of Microsoft Security Essentials which came included starting with Vista.
Not quite.
Windows Defender was released together with Windows Vista, this was very rudimentary and only handled malware and spyware not unlike Malwarebytes, it did not handle viruses.
Microsoft Security Essentials was released standalone sometime during Windows 7's era, this was fully fledged anti-virus.
Microsoft Security Essentials was renamed Microsoft Defender and bundled with Windows starting from Windows 8, where it has stayed to this day.
The guts are the same across these systems (defender, mse, forefront, etc). They use the same engine but it used to be defender only received antispyware signatures. There are some features on top but basically these are just wrappers around the same platform.
The original team that worked on this was awesome but a bunch of bad managers came over from Exchange and ruined it.
You're right I was wrong about MSE which was the Windows 7 era. But Windows Defender was released in 2005 and was a rebrand of Microsoft AntiSpyware, which itself was a rebrand of GIANT AntiSpyware.
The version of Windows Defender that came with Vista was a bit different and included realtime scanning when executables were run.
They bought out the best AV product on the market, and initially it was amazing. They even improved on it at first, but then it started aging into the turd they is now Defender.
> I would only enable it for family members who don't know what they are doing.
The problem is that this also includes most people who think they know what they’re doing. We’re in the middle of a big change in how general purpose computers work and it’s basically driven by accepting that people make mistakes, trusted sites or things like their URL shorteners or social media are compromised periodically, etc. Maybe you’re really good at never visiting dodgy websites, always use an ad blocker, etc. … but have you never installed the wrong Python, NPM, etc. package by mistake?
Short term, something like Defender makes sense for most devices used for web or email. Longer term, I think we need more focus on sandboxing, hardware MFA, etc. so we aren’t using systems so brittle that everything just falls apart if you make a mistake. I don’t want the entire world to be iOS but the status quo sucked more.
Defender is designed to tick a box on enterprise security checklists. That is about all it really excels at. It keeps IT people happy because they don't have to deal with a third party for their shitty AV.
> The sole purpose of eradicating the idea that Windows is insecure and prone to viruses
Well, during Windows XP days if you connect to a LAN with compromised devices (in some countries it was popular to just hook up the entire neighborhood to a series of switches or poorly managed office network) before you install every single update possible - too late, your machine is part of the botnet.
Also, some environments require antivirus running for certification even if the machine in question is a linux server with read-only volumes.
Defender was invented to remove the need for other third part anti virus scanners that would do even worse intrusions in the system than the example in TFA, giving windows a bad rep.
Originally it was a lot less hostile, over the years now itself became the villain it tried to fight.
I always disable Defender on my Windows machines as it eats both CPU and disk cycles for no reason, slowing things down to a halt. Was really noticeable on my Surface Book, which was otherwise a great machine.
It was consuming 25% of CPU while I was rendering a frame with Arnold on 3D Max. Thankfully, I'm not a professional (and thankfully, I moved to Gentoo).
Funny how that sort of thing can work out. I was involved in an industrial optimization company years ago. Microsoft came out with power-save features in their new release.
The staff at a metal-recycling company we were installing at, started complaining that the furnace would stop optimizing overnight. We investigated.
The controller computer would go into power-save mode, which suspended our control app. So the furnace would just sit there wasting power and burning up electrodes.
I calculated that during that week our furnace site wasted more power than all the power saved in America that year with power-save mode.
It would literally have been better if they'd never invented power save mode.
So be careful how much fiddling around we do. The law of unintended consequences will bite you in the butt every time.
be very careful what you define as “consumer grade”, microsoft officially positions variants of windows as professional, industrial and enterprise grade.
Linux as she is written comes with no warranty of anything, it is much more “consumer grade” than those variants of windows.
I think even enterprise linux does not come with support for industrial applications.
(I say this as a huge proponent of Linux supremacy)
Worse: a consumer grade OS with a reputation for blue screens and random reboots, remote updates and other niceties that you really don't want when you're controlling real world hardware.
> It would literally have been better if they'd never invented power save mode.
Only if you considered the purpose of power-saving mode to reduce total energy usage, vs to reduce amount of power (and consequent wear & tear) an individual machine uses.
However that MS would release a feature like that which automatically kicks in on upgrade without any sort of consideration of what the machine was used for - it could be running life-support systems! - seems an issue. But I'd also expect a fair bit more diligence on behalf of engineers responsible for monitoring and maintaining systems that need 24x7 uptime.
Or… the controller app could be written to prevent suspension via available APIs. If that wasn’t an option, you could turn off power saving mode on the computer as well.
This can be a dangerous objective. There are already changes going into Windows 10+ regarding the OS scheduler [0]. Windows 11 is also noted as having an even more aggressive policy. How much longer before old games stop working correctly and we have to have MS-signed binaries to get 1ms timer resolution?
Obviously, we don't want to poll aggressively whenever we can avoid it, but there are also a lot of practical UX & technological reasons to have this capability.
I agree. Windows Defender and Gatekeeper on macOS both have pathological performance characteristics in some cases -- $$$ should act as a good incentive to figure them out.
Well, windows defender is the single largest CPU hog Ive found on these low end cherry trail/silvermont/goldmont/etc tablets.
Particularly when windows update kicks on the CPU's go to 100%, the thing overheats, and generally is absolutely unusable as it downloads and scans/etc the update its preparing. The devices go from usable but slow, to put it down for a couple hours cause you won't get anything done levels of usability.
Disabling windows defender for the 24 hours (or whatever it takes) before windows decides to turn it back on, is the single largest performance hack I've found to make those devices run reasonably. Guess this "bug" just reinforces that fact.
Maybe someone should donate a few to MS's windows engineering teams so they can enjoy the monster they have created running on the low end hardware that is still being sold.
This just reminds me of constant "things worked so fast on my Windows 95 machine back in the day with 16MB RAM". Meanwhile any piece of software could crash your PC and it did so regularly (I still keep spamming save in software because of those days) and internet was a pandoras box.
I wonder how much overhead in modern OS/PC user experience comes from security/stability abstractions and tools.
I think it mostly comes from the fact that computers are so fast now people write apps without worrying too much about performance - apps have always grown to use whatever resources are available. But when you app had to run on a pentium with 16MB of memory - you actually had to work hard on performance because you had such limited resources.
Yes but people have this nostalgic rose tinted glasses of software from that era - it was hot garbage that crashed all the time because they had so many constraints. Yeah GC introduces a bunch of overhead - but it also means you don't get segmentation faults, memory corruption, etc.
Modern software is much more reliable than the software from that era, people nowadays complain when a button isn't working - back then a button could randomly freeze my entire PC.
> it was hot garbage that crashed all the time because they had so many constraints
Correlation != causation. I started using PCs heavily in the mid 90s, and yes "Illegal Operations" were abound. However, the SDLC has also come a long way with testing, automated QA, etc. Back then there was a lot more "wild west" going on for both hardware and software. Generally, practices are much more mature by default nowadays.
But that's my point - the kind of constraints they had back then was not at all how we build software nowadays.
I remember people debating using global variables back then - I haven't seen a team not using unit testing in years. Scaling code up to multiple contributors, standardizing abstractions, building for automated testing, etc. We've taken many tradeoffs in the direction of development scalability and stability/correctness at the expense of performance and simplicity.
I still see people praising visual basic form builder - I think those were the kids that started doing dev with that and we're impressed they can put dialogs on a screen. I think it would be extremely hart to find someone who maintained a nontrivial app with that code behind shit and thought it was a good idea.
And computers are so vastly different. We have these layers upon layers to deal with these differences. Back in the day it was just DOS and 386/486 then optimize the crap out of it. Even doom had their sound stuff done through a compatibility layer. Now a days you need to deal with multiple video cards and os and processors. Just easier to make a one and done solution and leverage it
I've experienced a bug related to the on-disk real-time scanning of Windows Defender, but instead with 100% disk bandwidth usage for unreasonable amounts of time.
I purchased a license of a proper antivirus software to avoid that bug and the performance issues gone away.
When you install another AV software, Windows Defender steps down and leaves scanning to the 3rd-party security solution. I selected one of the most lightweight ones I could find. It has been a net win for me.
One shouldn't need to do this, but it has worked so far, for years now.
> I purchased a license of a proper antivirus software
Which is that? For years (and come to think of it, this goes back to the 2000's or even 90's), AV / antimalware software comes across as scareware, using tricks to ensure you're afraid of not having it.
And second, who here has ever had a virus in the past ten years?
I purchased a license of ESET Internet Security, and full disclosure: back in early 2017, I worked at an ESET-licensed reseller as a Presales and Support Engineer, so I know how to fine-tune it and all the ins and outs.
By nature, it's very lightweight (330 Mb RAM footprint), but you can fine-tune it even more if you want.
> And second, who here has ever had a virus in the past ten years?
We the people at HN are tech-savvy and of course will not get infected, but recently I spotted malware out-in-the-wild via Facebook Ads[0].
Your usual grandma/grandpa using the computer to connect with loved ones and play Candy Crush Saga will get infected, if they are not by now.
Some people tell me: "bUt tHaT'S BeCaUsE ThEy aRe vIsItInG WeIrD SiTeS," well, even if you stick to the common social media sites and usual news sites, you will get infected.
I cannot emphasize this enough, but you're responsible of your own computer so I will not proselytize you into purchasing AV software.
>Some people tell me: "bUt tHaT'S BeCaUsE ThEy aRe vIsItInG WeIrD SiTeS," well, even if you stick to the common social media sites and usual news sites, you will get infected.
I recall reading a study a few years back saying how it's safer to browse porn sites than it is to browse what most would call "common" sites such as retailers.
Interesting, my assumption would be that porn sites must clean themselves from that malware-ish reputation, whereas "common" sites with low-end ad networks don't have it (but they are prone to gain it, because of careless/negligent ad bidder verification).
Indeed, I wouldn't install anything from McAfee if you paid me too, given the way it automatically installs itself along with various other unrelated applications and the number of phishing emails claiming to be from McAfee (which presumably exist because their creator is aware of how often McAfee itself pushes similar messages out).
I can't actually remember the last time any anti-malware software (built-in or otherwise) actually detected anything like a traditional virus, but there are plenty of computer users who are rather more trusting of links (including ones that download executables) in emails and the like. I don't doubt if I used a machine with all protection turned off and with the level of caution of a typical non-technical user it'd be hit with malware sooner or later. Most likely a browser plugin capable of reading passwords as I type them etc.
> I've experienced a bug related to the on-disk real-time scanning of Windows Defender, but instead with 100% disk bandwidth usage for unreasonable amounts of time.
Sophos does this on my work laptop with depressing regularity. At this point I just go grab coffee when the fans max out, cause I know the disk is similarly pegged and it'll be about as snappy as a bogged down Windows 98 machine until it finishes.
I experience the same issue on my laptop, and I've come to think it might be everytime the memory got swapped out. Sophos seems to interfere when the memory is read back from disk, which is annoying and frustrating.
I stopped using windows and moved to Fedora and Mac when I faced the same issue you faced. Cannot trust windows after shipping this perf bug and the modern standby bug.
It eats up a lot of CPU. It doesn’t seem like much help in a default update enabled system where you are using a regular user account instead of an administrator account.
In addition, anti-virus and real time scanning is itself potential surface area for an exploit (for example a few years back there was an exploit based on Norton antivirus email scanner).
How many threats has it detected for you? I ran it for a decade or so and it caught exactly zero, so then I decided to disable it, because it makes file system access about 5-10x slower than it can be on my NVMe drive. Not bandwidth, but I/O syscalls. So things like node_modules become a real pain.
It uses next to no system resources (issues like this aside), it integrates perfectly with Windows (it comes from Microsoft, after all), it's reasonably effective (to the chagrin of AV vendors the world over), and it isn't intrusive.
I grew up in the era of internet wild-west and I understand why some of us still feel the need to operate with multiple levels of (perceived) safety even today.
That said, I think most of it is really foolish crap now. The sorts of exploits that are out in the wild that you should actually worry about will go right through defender like a modern bunker buster.
It's really upsetting to me when you think about how much performance/energy/UX latency/frustration/et. al. is being spent in hopes of achieving a minor incremental improvement in security. Windows defender == TSA for your PC.
If you know to not download & run executable files from sketchy websites, you are basically already at the limits of what defender is effectively achieving on your local machine.
You can disable it. First you have to disable the tamper protection and real time protection in the GUI. Now the real time protection will come back automatically in some time, unless you do the following.
If you have a Pro version of Windows there is a group policy setting for it. [1]
If you have Home, you can achieve the same effect by manually tweaking the registry. [2]
--
[1] Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Real-time Protection
Windows Defender is worse than nothing but in recent versions of Windows it is enabled by default, very difficult to disable, and may get re-enabled at any future software update.
Every security app seems to have problems like this all the time, and they never seem to be able to detect them themselves. Security software that didn't suck would be a huge opportunity, and yeah as others have alluded too, a huge carbon emission reduction!
I had two different IT mandated apps taking up a total of 3.5 complete CPU cores for a week before I undocked and noticed the fast battery drain. On an M1 no fan blast to alert me. It's a terrible terrible state of affairs.
I remember some people reporting that their old PCs with unsupported CPUs got a high CPU usage after installing Windows 11, and I remember some people saying that it was because they lacked TPM, which increased the CPU load. But it turned out to be just a bug, didn’t it? After all, features like memory randomization that require TPM couldn’t be enabled on Windows 11 anyway, and similar CPU usage spikes were seen on Windows 10 as well.
Biggest headache with Windows Defender is it's abysmal single threaded IO bottlenecking.
Writing large number of files to disk? Windows defender will be busy slowing down every single one of those writes as it scans... wouldn't be so bad if it didn't do so on a single thread. I have 10 cores, use them!
Orders of magnitude slowdown of mmap() on ix platforms would never be accepted by users or developers on ix. Seems the expectations are quite far gone in the malware-ridden win* world.
Wait so they… they have a hook in the mmap() equivalent that allows AV software to scan new pages mapped as executable? I see the reasoning but damn does that feel cursed.
It used to be possible to disable real-time protection but know it’s not. The UI toggle is only for a limited time and the Group Policy option doesn’t work anymore.
It appears you would like to take a trip into the windows dark forest.
Complete removal of windows defender on retail OS is feasible if you can figure out how to elevate a prompt to trusted installer. Alternatively, if you run Windows Server, you can use Remove-WindowsFeature to get it gone for good.
I have a script that accomplishes this, but I hesitate to share it because I don't want some asshole at Microsoft to patch it.
If Firefox engineers spent more time on Firefox bugs, maybe we would be able to fully use MS Teams and other important for work video conferencing apps on Firefox. (Hey, don't take me too seriously.)
It was also fixed with a definition update in Windows Defender some time last month, so you probably have the update since these happen in the background and don't require any restart. You can check by going to:
Right click `mpengine.dll`, choose Properties, click Details tab, and check to see if Product Version is >= 1.1.20200.3. Mine is 1.1.20200.4 and was updated in mid/late March. If the version is less than 1.1.20200.3, you can manually trigger a definitions update in Windows Defender under Virus & Threat Protection.
"This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events. The combination is explosive. Now that Microsoft has done their part of the job (comment 82), we need to reduce our dependency to VirtualProtect. Bug 1822650 in particular will help with that."
It seems like the HN submission form truncated the # from the end of the URL I linked to, which linked to the relevant comment. I'll try that here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c82
and
https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c91