Have you ever seen your CPU fan spin up to 100% and when you look at Task Manager, you see high CPU usage by Microsoft Defender (msmpeng.exe) but when you open up Defender, it’s not running a full scan?
- Launch
New-MpPerformanceRecording -recordto c:\1.etl - Let the process run for bit
- Launch
Get-MpPerformanceReport c:\1.etl -topprocesses 100
I saw this technique posted by SwiftOnSecurity and he/she discovered that “Dell SupportAssist was poking all EXE files on the drive, triggering on-access scans” by Defender.
DEFENDER PERFORMANCE ANALYSIS TRAINING
SwiftOnSecurity recommended reading the training module, “Performance Analyzer for Microsoft Defender Antivirus” for all Microsoft Defender administrators – including plain Microsoft Defender Antivirus, as well as Microsoft Defender for Endpoint.
Quote: “You should baseline your machines at idle and see what is causing spurious activity you haven’t tuned for.”
kurtsh
Kurt Shintaku's Blog 