Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

[R-T-B]

AV software have too many security risks involved, and as an entity that has higher privileges than a system administrator (in most cases), therefore it cannot be trusted.

Wait until you find out about whats running in the ME or PSP enclaves.

 

[jpuser-axp]

I have figured out how to use ThrottleStop 9.5.
Start and exit. It is very easy.
However, I do not know how to use Counter Control.

Do I start Counter Control, click "Reset Counters" and exit?
If so, will the Defender problem be permanently fixed as long as the PC is running?

 

[TheDeeGee]

Run a sottr bench on a clean install, then shut off control flow guard / defender Realtime scan, vbs, indexer and it an run the bench again -- your gains will be in the double % easy.

Thanks, but no thanks.

I've learned messing with windows the hard way.

If it can't be disabled or uninstalled without an app, leave it alone or risk messing up future updates.

 

[8tyone]

Excellent investigative work! Thank you Mr. Kevin.

 

[zebra_hun]

I say thank you, too.
Zeb

 

[Chrispy_]

Is the problem limited to 8th, 9th, 10th, 11th, and 12th gen only?

I've seen Windows Defender use 100% of a core on low-powered devices like old Bay-Trail Celerons etc. 100% of one core is either a quarter or half of the entire performance those devices have to offer.

 

[Naito]

the amount of times I have run a scan with MBAM or AVRIA and they have found something that defender missed is

I've run Defender and MBAM for many years in parallel and honestly, I've found Defender to always be capable enough to not need MBAM intervention. So much so, that I don't bother running anything but Defender lately.

The inclusion of Defender on Windows Server 2019 and 2022 is also a welcome addition.

 

[DeathtoGnomes]

I've run Defender and MBAM for many years in parallel and honestly, I've found Defender to always be capable enough to not need MBAM intervention. So much so, that I don't bother running anything but Defender lately.

The inclusion of Defender on Windows Server 2019 and 2022 is also a welcome addition.

The question is, can they tailor to specifically avoid Defender.

 

[Dark_Phoenix]

I ran Counter Control after reading this post and in the current section it shows Unknown > 0x777. If I reset counters it will change to Normal 0x337, but it'll either stay at 0x337 or change back to 0x777 after a minute or 2.

 

[Naito]

The question is, can they tailor to specifically avoid Defender.

Same can be said about most things. Like most AVs, Defender employs realtime monitoring and other heuristics to detect threats. The benefit of Defender is that so many PC's run it by default which helps with large scale analytics, machine learning, etc. Detection will be much quicker on such a network.

Any sufficiently popular software will more likely be targeted as you're guaranteed to have a much bigger attack surface. More chance of success, more reward for the hacker.

 

[phanbuey]

Thanks, but no thanks.

I've learned messing with windows the hard way.

If it can't be disabled or uninstalled without an app, leave it alone or risk messing up future updates.

You don't need to install any apps for what I suggested, they're windows settings you can toggle on and off.
What is Control Flow Guard in Windows; How to turn it On or Off (thewindowsclub.com)
How to Disable Virtualization-Based Security (VBS) in Windows 11 | Beebom
- you can also just disable virtualization in the bios to do the same effect and then test performance.

The point I was trying to make is that security apparatus in windows looks like it might be a 5% hit, and is in some very synthetic benches, but it's closer to 15% in real games when taking into account IO/memory latency with just those two settings. The system virtualizes the kernel and then nannies memory access with extreme overhead.

We have a juicy chunk of performance left on the table when it comes to OS and software optimizations. Will be interesting to see also if CPU accelerators will come into play for some of these tasks.

 

[Veseleil]

Wait until you find out about whats running in the ME or PSP enclaves.

We all know about spyware abillities integrated into chips as "security features". The difference is that i can't do much about that, and i can at least prevent some shady software running in the OS.

 

[R-T-B]

We all know about spyware abillities integrated into chips as "security features". The difference is that i can't do much about that, and i can at least prevent some shady software running in the OS.

They aren't really spyware, more useless features just waiting for a vulnerability, but same end result:

Source: Me. I'm well known as a ME security researcher.

 

[zebra_hun]

YT Video Link

15500 vs 16700 Cinebench R23 score. I start TS with windows, and use .ini to stop 5 sec later.

 

[NfiniteL00p]

I've not been able to replicate this issue for some reason. The highest Defender CPU usage I got was 0.31% during the Cinebench R23.200 run; otherwise it hovered around 0.06% or less. Windows 11 Enterprise Build 21H2, latest updates, 12th Gen Intel Core i9-12900K for the CPU.

 

[Aquinus]

We have the Fix

When I first saw this part of the title, I thought to myself, "I do too. Use Linux."

 

[Ed_1]

I've not been able to replicate this issue for some reason. The highest Defender CPU usage I got was 0.31% during the Cinebench R23.200 run; otherwise it hovered around 0.06% or less. Windows 11 Enterprise Build 21H2, latest updates, 12th Gen Intel Core i9-12900K for the CPU.

12th gen doesn't seem to be effected, I never see defender show up in app.

 

[othersteve]

12th gen doesn't seem to be effected, I never see defender show up in app.

Yup, agreed, I've yet to see any issues on the new XPS 13 Plus I've been using. Hopefully that means it isn't affected.

 

[lexluthermiester]

If it can't be disabled or uninstalled without an app, leave it alone or risk messing up future updates.

It's not about what you do, rather how you do it. IF done the right way, it's easy-breezy and works perfectly. Key point, doing it the right way.

Yup, agreed, I've yet to see any issues on the new XPS 13 Plus I've been using. Hopefully that means it isn't affected.

Or you didn't notice. If your computing habits and activities don't require intensive compute power, you might not even notice.

 

[ThrashZone]

12th gen doesn't seem to be effected, I never see defender show up in app.

Hi,
Read the op and see for yourself here's the first clue

Not to many people stare are task manager especially when doing other things.

 

[othersteve]

It not about what you do, rather how you do it. IF done the right way, It's easy-breezy and works perfectly. Key point, doing it the right way.


Or you didn't notice. If your computing habits and activities don't require intensive compute power, you might not even notice.

No, what I mean to say is that Counter Control doesn't seem to have reported anything amiss on my system yet.

 

[lexluthermiester]

No, what I mean to say is that Counter Control doesn't seem to have reported anything amiss on my system yet.

Ah, ok. Understood.

 

[Ed_1]

Hi,
Read the op and see for yourself here's the first clue
View attachment 252875
Not to many people stare are task manager especially when doing other things.

That's 10th gen I ran the app for many hours, I see only normal and not used.
here my log
2022-06-27 13:38:28 00:13:48 0x330 Normal

2022-06-27 13:42:37 00:03:07 0x000 Not Used
2022-06-27 17:15:47 03:33:10 0x330 Normal

2022-06-28 12:31:11 00:00:43 0x000 Not Used

2022-06-28 19:17:36 00:01:47 0x330 Normal

Plus running CB23 before and after I get same score, even after reset counters.

 

[unclewebb]

Plus running CB23 before and after I get same score

When testing, boot up and run Counter Control. Do not push the Reset Counters button and do not run ThrottleStop 9.5. When my 10th Gen computer first boots up or when I resume from sleep, the counters are in mode 0x222 and performance is decreased. If your computer does not have this problem then you do not need to fix anything. You will not see any improvement in Cinebench R23 scores if you do not have this problem.

0x777

Thanks for posting that. 12th Gen CPUs do not seem to have this issue.

15500 vs 16700 Cinebench R23

Thanks for posting that video. It shows the problem exactly.

 

[Ed_1]

When testing, boot up and run Counter Control. Do not push the Reset Counters button and do not run ThrottleStop 9.5. When my 10th Gen computer first boots up or when I resume from sleep, the counters are in mode 0x222 and performance is decreased. If your computer does not have this problem then you do not need to fix anything. You will not see any improvement in Cinebench R23 scores if you do not have this problem.


Thanks for posting that. 12th Gen CPUs do not seem to have this issue.


Thanks for posting that video. It shows the problem exactly.

fresh restart and it shows not used 0x000
when running CB23 I get 100% load so as I said before it doesn't seem to affect 12th gen or at least my 12th gen config.

As far as sleep goes I always disable sleep with powercfg /hibernate off right after windows install so can't really test that, never use sleep.
I just let the monitor go into low power mode