Antivirus Windows 11 Test
Vanina Mazzillo
On my new Lenovo T16 laptop that has Windows 11 23H2 I have huge antivirus test script result times (ranging from 450ms to few seconds - longest was 10 seconds). As is mentioned the cause is antivirus (built-in Windows Defender). So I added exlusions for process name, nothing changed at all. I added some folder and file exclusions nothing, as if exlusion settings are ignored completely. I checked group policy and local group policy, nothing is forced so should be fine.
Then I disabled WiFi and test times droped to 100ms almost consistently. This triggered some ideas, so I enabled back WiFi and disabled "Cloud-delivery protection", "Automatic sample submission" and this got me to 70ms. Further disabling "Real-time protection" got me to around 50ms for assembly load time. Exclusions are ignored as far as I can tell becaus enumbers don't change whether LinqPad8.exe is excluded or not.
In the meantime I ran into some articles that 23H2 causes CPU performance problems and Windows Defender is to blame, and there are some powershell commands to restart Windows Defender, but it didn't work for this issue.
Does anyone here have 23H2 and have this working correcly?
To me it looks like exclusions are completely ignored, and it sends every generated temp.dll file as a sample to online servers for scanning.
I have newly installed laptop and this is now getting on my nerves, especially since laptop work flawlessly and it's fast otherwise. The only solution that I can think of is to disable "Cloud-delivery protection" and "Automatic sample submission".
With realtime protection disabled, 50ms is still 100 times slower than your old laptop. Have you checked for I/O contention on your hard drive from other processes? On new laptops, there's often a lot of updates and scans going on in the background. One way to check is with Task Manager, Show All Processes, Details, select columns and choose I/O bytes read/written (there may be a better way).
Nothing seems to be using disk (I've checked what you suggested), and everything else works much faster than old laptop. It's not that new anymore, I started setting it up 10 days ago so it had time to analyse, scan and index everything. And disk in tests shows nice speeds as modern NVMe should.
Write of that DLL file from your script is fast, but when reading starts (assembly load) then MsMpEng.exe takes over and that is very visible in ProcessMonitor. It's time is matching the delays shown in script results.
What is even stranger is that on old windows 10 laptop I have Malwarebytes installed, and with it the times are 10ms. When I exit Malwarebytes then it is briefly 0.1ms while transitioning to Windows Defender and when it takes over it is 20ms, so two times slower (but with every option turned on in Windows Defender). Also exclusions are respected and when LinqPad8.exe is ecluded it drops to 0,1ms.
On new laptop I also tried with Malwarebytes, even with ESET, but whether they work, or Windows Defender works the times are the same. Like Windows Defender works in parallel with them even when it shouldn't.
With Windows Defender on, even with the LINQPad process added as an exclusion, I see times ranging from 400-700ms.
If I turn off "Cloud-delivered protection", the times drop down to the expected 20-40ms
I've also checked on another colleague's new laptop who also installed Win 11 23H2 and he is experiencing the same issue. So it's not only mine laptop. He also gets 500ms loading times in this test, and Windows Defender exclusions don't work, Turning off "Cloud-delivery protection" and "Automatic sample submission" helps a bit (80ms) but not as when exclusion would be applied. So basically the same issue as mine.
We also tested on another colleague's laptop who has Win 11 22H2 with all updates for that version, and he doesn't experience this issue, it works the same as on my old laptop with Windows 10 22H2. When exclusions are applied loading time is less then 1ms and without exclusion (when Windows Defender does it's job in full) loading times are not that high (20ms compared to mine 500ms).
Found this page while trying to solve this exact problem on my new high-end HP ZBook laptop. Times in the 400-800ms range, exclusions have no effect. Replaced Defender with MalwareBytes, if anything, times seemed even slower.
Addendum: Went back to Defender, disabled "Cloud-Delivered Protection" and can verify that times are in the 80-100ms range. Disabling "Device Security"->"Core Isolation"->"Memory integrity" reduces times to around 30ms. Still 10x slower than expected for a high-end G10 laptop.
Hi, I worked with this test as well. Such a great tool! We use Symantec. For Symantec folders (with sub-folders) can be excluded (that is a bad idea cause a virus could find out what folders are excluded, but simply guessing some candidates like). One thing that is interesting for LINQPad 8 64 bit.
If you add a line
Directory.GetCurrentDirectory().Dump();
the output surprisingly is:
C:\Users\\AppData\Local\Temp\LINQPad8_hqpnhwjq\shadow-1
instead of the folder where the query file is stored.
So all DLL files in the test will be created in the this folder - which in my case is not excluded.
So even if i stored a query in my exception folder this will not work.
I tried the same with a Visual Studio C++ project.
More precisely: it will create the file in the process's current directory. This is for the Windows shell the folder of the executable. From cmd is is the current directory of cmd. So it is a bad practice to use relative file path instead of fully qualifying them - but for the purpose of the test program it actually helped revealing the issue.
this topic is thrilling me!
I get results from 300ms (managed PC online), down to 30ms (managed offline) and below 1ms (AV excluded).
But what does that acutally mean and what is actually happening in the perf test?
managed PC is Windows 10, no dev drive. code shows 300ms when executing the embedded LinqPad8 AV test.
running the same code in a .net8 console app doesn't seem to trigger the AV and is below 1ms.
So this is why I am asking. probably that does not trigger AV but hosted by Linqpad it does?
Windows Defender uses undocumented heuristics to determine what and when to scan, and what kind of scanning to use. I also don't know how your machine has been set up. Maybe you've got exclusions that cover the output folder, or maybe Defender has just decided not to scan your console app files for some reason.
using on DEV drive w/ windows defender real-time protection off and cloud-delivered protection off and also the "Core Isolation"->"Memory integrity" off, results are now between 30-90
but I guess might be something related to xeon and dual cpu - but reason that I bought this machine used was to improve performance, now I'm not sure if I got a bad machine, CPU test from Intel and all DELL tests pass w/out problem.
Microsoft Defender XDR technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite. It natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender XDR combines the capabilities of Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Entra ID Protection, and Microsoft Defender for Cloud Apps into a single solution.
Core to MITRE's testing approach is emulating real-world attacks to understand whether solutions can adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE's simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded visibility beyond the endpoint with Microsoft Defender XDR.
ATT&CK-based evaluation of Microsoft Defender XDR - April 2022: [Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK Evaluations](Microsoft Security Blog: Microsoft Defender XDR demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK Evaluations)
Microsoft Defender XDR provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities. The visibility dramatically reduces manual work for the security operations center and vendor solutions that relied on specific configuration changes. Microsoft Defender XDR also had the fewest gaps in visibility, diminishing attacker ability to operate undetected.
Microsoft Defender Antivirus in Windows consistently performs highly in independent tests, displaying how it's a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and don't test for additional security protections.
Microsoft Defender Antivirus is the next generation protection capability in the Microsoft Defender for Endpoint Windows security stack that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped milliseconds after a campaign starts. That's because Microsoft Defender Antivirus and other endpoint protection platform (EPP) capabilities in Defender for Endpoint detect and stop malware at first sight. They use machine learning, artificial intelligence, behavioral analysis, and other advanced technologies.
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category that has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
d3342ee215