I have followed instruction (from several sources) to make the file MsMpEng.exe as an exception for Defender, but it is still there after a restart.
What am I doing wrong?
Windows 10
Brave browser.
Thunderbird.
Jim the Geordie <jim@jimXscott.co.uk> wrote:
I have followed instruction (from several sources) to make the file
MsMpEng.exe as an exception for Defender, but it is still there after a
restart.
What am I doing wrong?
Windows 10
Brave browser.
Thunderbird.
MsMpEng.exe *is* Windows Defender:
MS (Microsoft)
Mp (Malware Protection)
Eng (Engine)
An exception does not kill a process, but exclude it from getting
scanned.
Are you running some other/3rd-party anti-virus program? If so, only
ONE should be running at a time (as the on-demand aka realtime scanner),
not multiple running at the same time. If you want to use a 3rd-party
AV, disable Windows Defender. Be sure to use a 3rd-party AV that
properly registers itself in Windows which will have Windows grant the 3rd-party AV as the antimalware protector.
The "instructions" came from where, specifically? Just because you
found something on the Web doesn't mandate it is valid, or applies in
your situtation.
On 13/01/2025 12:50, VanguardLH wrote:
Jim the Geordie <jim@jimXscott.co.uk> wrote:
I have followed instruction (from several sources) to make the file
MsMpEng.exe as an exception for Defender, but it is still there after a
restart.
What am I doing wrong?
Windows 10
Brave browser.
Thunderbird.
MsMpEng.exe *is* Windows Defender:
MS (Microsoft)
Mp (Malware Protection)
Eng (Engine)
An exception does not kill a process, but exclude it from getting
scanned.
Are you running some other/3rd-party anti-virus program? If so, only
ONE should be running at a time (as the on-demand aka realtime scanner),
not multiple running at the same time. If you want to use a 3rd-party
AV, disable Windows Defender. Be sure to use a 3rd-party AV that
properly registers itself in Windows which will have Windows grant the
3rd-party AV as the antimalware protector.
The "instructions" came from where, specifically? Just because you
found something on the Web doesn't mandate it is valid, or applies in
your situtation.
That's fine.
My PC seems to be faster/less 'laggy'.
The instructions came from Microsoft (among others, but they were all
the same)
I am not running any other AV program.
Jim the Geordie <jim@jimXscott.co.uk> wrote:
On 13/01/2025 12:50, VanguardLH wrote:
Jim the Geordie <jim@jimXscott.co.uk> wrote:
I have followed instruction (from several sources) to make the file
MsMpEng.exe as an exception for Defender, but it is still there after a >>>> restart.
What am I doing wrong?
Windows 10
Brave browser.
Thunderbird.
MsMpEng.exe *is* Windows Defender:
MS (Microsoft)
Mp (Malware Protection)
Eng (Engine)
An exception does not kill a process, but exclude it from getting
scanned.
Are you running some other/3rd-party anti-virus program? If so, only
ONE should be running at a time (as the on-demand aka realtime scanner), >>> not multiple running at the same time. If you want to use a 3rd-party
AV, disable Windows Defender. Be sure to use a 3rd-party AV that
properly registers itself in Windows which will have Windows grant the
3rd-party AV as the antimalware protector.
The "instructions" came from where, specifically? Just because you
found something on the Web doesn't mandate it is valid, or applies in
your situtation.
That's fine.
My PC seems to be faster/less 'laggy'.
The instructions came from Microsoft (among others, but they were all
the same)
I am not running any other AV program.
If you add msmpeng.exe as an exception to the scans by Windows Defender,
you leave your setup vulnerable if the file becomes compromised, but you
told Defender not to scan itself. The expection is that Defender will defends its own core files, but I wasn't aware that Defender would scan
its own core files in scans, but instead defend itself at all times, not
just during scans.
If you are going to exclude msmpeng.exe from scans, you might as well as exclude its entire folder (C:\Program Files\Windows Defender).
Are you seeing high CPU usage for long periods which are eliminated by excluding msmpeng.exe (the scanner) from Defender's own scans? There
are high CPU moments when Defender scans itself, but the on-access (real-time) scanner should only be scanning changed files (changed or
new), not every file all the time. If there are lots of file changes,
like thousands (either in file count, or rewrites to the same file) then Defender will be busy rescanning those files. Possibly on ancient
hardware the msmpeng.exe process may remain high. If hardware upgrading (CPU, memory) is not an option, you might want to switch off Defender to
go with a 3rd-party AV; however, most will also get busy when there are
lots of file changes as they, too, have to scan the changed files.
If you scheduled the on-demand scanner, you might want to move that
schedule to a time when you are not using the computer. However,
on-demand scans won't find anything the on-access/realtime scanner did
not find. Only if you disabled the on-access scanner, installed new
files during which the scanner was disabled, and then reenabled the
scanner then the scanner won't see the changed files, so an on-demand
scan later will look at those files added while the on-access scanner
was quiesced.
Jim the Geordie <jim@jimXscott.co.uk> wrote:
On 13/01/2025 12:50, VanguardLH wrote:
Jim the Geordie <jim@jimXscott.co.uk> wrote:
I have followed instruction (from several sources) to make the file
MsMpEng.exe as an exception for Defender, but it is still there after a >>>> restart.
What am I doing wrong?
Windows 10
Brave browser.
Thunderbird.
MsMpEng.exe *is* Windows Defender:
MS (Microsoft)
Mp (Malware Protection)
Eng (Engine)
An exception does not kill a process, but exclude it from getting
scanned.
Are you running some other/3rd-party anti-virus program? If so, only
ONE should be running at a time (as the on-demand aka realtime scanner), >>> not multiple running at the same time. If you want to use a 3rd-party
AV, disable Windows Defender. Be sure to use a 3rd-party AV that
properly registers itself in Windows which will have Windows grant the
3rd-party AV as the antimalware protector.
The "instructions" came from where, specifically? Just because you
found something on the Web doesn't mandate it is valid, or applies in
your situtation.
That's fine.
My PC seems to be faster/less 'laggy'.
The instructions came from Microsoft (among others, but they were all
the same)
I am not running any other AV program.
If you add msmpeng.exe as an exception to the scans by Windows Defender,
you leave your setup vulnerable if the file becomes compromised, but you
told Defender not to scan itself. The expection is that Defender will defends its own core files, but I wasn't aware that Defender would scan
its own core files in scans, but instead defend itself at all times, not
just during scans.
If you are going to exclude msmpeng.exe from scans, you might as well as exclude its entire folder (C:\Program Files\Windows Defender).
Are you seeing high CPU usage for long periods which are eliminated by excluding msmpeng.exe (the scanner) from Defender's own scans? There
are high CPU moments when Defender scans itself, but the on-access (real-time) scanner should only be scanning changed files (changed or
new), not every file all the time. If there are lots of file changes,
like thousands (either in file count, or rewrites to the same file) then Defender will be busy rescanning those files. Possibly on ancient
hardware the msmpeng.exe process may remain high. If hardware upgrading (CPU, memory) is not an option, you might want to switch off Defender to
go with a 3rd-party AV; however, most will also get busy when there are
lots of file changes as they, too, have to scan the changed files.
If you scheduled the on-demand scanner, you might want to move that
schedule to a time when you are not using the computer. However,
on-demand scans won't find anything the on-access/realtime scanner did
not find. Only if you disabled the on-access scanner, installed new
files during which the scanner was disabled, and then reenabled the
scanner then the scanner won't see the changed files, so an on-demand
scan later will look at those files added while the on-access scanner
was quiesced.
On Mon, 1/13/2025 10:00 AM, VanguardLH wrote:I use Defender as real time protection but run other AV scanners in my unattended overnight batches. To do that the batch deactivates Defender
Jim the Geordie <jim@jimXscott.co.uk> wrote:
On 13/01/2025 12:50, VanguardLH wrote:
Jim the Geordie <jim@jimXscott.co.uk> wrote:
I have followed instruction (from several sources) to make the file
MsMpEng.exe as an exception for Defender, but it is still there after a >>>>> restart.
What am I doing wrong?
Windows 10
Brave browser.
Thunderbird.
MsMpEng.exe *is* Windows Defender:
MS (Microsoft)
Mp (Malware Protection)
Eng (Engine)
An exception does not kill a process, but exclude it from getting
scanned.
Are you running some other/3rd-party anti-virus program? If so, only
ONE should be running at a time (as the on-demand aka realtime scanner), >>>> not multiple running at the same time. If you want to use a 3rd-party >>>> AV, disable Windows Defender. Be sure to use a 3rd-party AV that
properly registers itself in Windows which will have Windows grant the >>>> 3rd-party AV as the antimalware protector.
The "instructions" came from where, specifically? Just because you
found something on the Web doesn't mandate it is valid, or applies in
your situtation.
That's fine.
My PC seems to be faster/less 'laggy'.
The instructions came from Microsoft (among others, but they were all
the same)
I am not running any other AV program.
If you add msmpeng.exe as an exception to the scans by Windows Defender,
you leave your setup vulnerable if the file becomes compromised, but you
told Defender not to scan itself. The expection is that Defender will
defends its own core files, but I wasn't aware that Defender would scan
its own core files in scans, but instead defend itself at all times, not
just during scans.
If you are going to exclude msmpeng.exe from scans, you might as well as
exclude its entire folder (C:\Program Files\Windows Defender).
Are you seeing high CPU usage for long periods which are eliminated by
excluding msmpeng.exe (the scanner) from Defender's own scans? There
are high CPU moments when Defender scans itself, but the on-access
(real-time) scanner should only be scanning changed files (changed or
new), not every file all the time. If there are lots of file changes,
like thousands (either in file count, or rewrites to the same file) then
Defender will be busy rescanning those files. Possibly on ancient
hardware the msmpeng.exe process may remain high. If hardware upgrading
(CPU, memory) is not an option, you might want to switch off Defender to
go with a 3rd-party AV; however, most will also get busy when there are
lots of file changes as they, too, have to scan the changed files.
If you scheduled the on-demand scanner, you might want to move that
schedule to a time when you are not using the computer. However,
on-demand scans won't find anything the on-access/realtime scanner did
not find. Only if you disabled the on-access scanner, installed new
files during which the scanner was disabled, and then reenabled the
scanner then the scanner won't see the changed files, so an on-demand
scan later will look at those files added while the on-access scanner
was quiesced.
Just as a general observation, the "claimed" CPU usage of that executable
is small, yet the amount of total I/O it has done, is pretty impressive,
for something not using a lot of CPU. The I/O has happened
over many hours.
[Picture]
https://i.postimg.cc/dVcgppjN/msmpeng-activity.gif
The Sysinternals Process Explorer is available here. It can be run
as Administrator, for some activities this gives a bit of extra info,
but Administrator is not needed for casual usage like in the picture.
The CPU usage includes two digits after the decimal, which is useful.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Does MSMPENG.exe slow down the machine ? You bet your ass it does.
But it shows up, when you attempt to read files.
As an example, you may have a copy of hashdeep64.exe or md5deep64.exe ,
which is a program that can generate a checksum value for each and
every file on a PC. The poor "hashdeep" runs at about 14% of normal
speed, when Defender is finished scanning the shit out of each
file as it is being read. This is where you are losing the performance.
The real time performance, when your activities do high I/O, is
slowed considerably by Defender.
But at the background scan level, which is what the top picture is demonstrating, it should not be making the system particularly laggy.
When running high I/O programs, you have to go to the security panel
and "disable Real Time scan", for those activities that you suspect
are innocuous. While malware could come out of hiding while you
have the Real Time scan disabled, it's not much of a computer
if I/O activity is being strangled.
Not all I/O activity is necessarily scanned to the same extent.
If you run a Macrium Reflect backup while the OS is running,
the I/O there is at cluster level, and scanning the shit out
of individual clusters isn't particularly an effective security
measure. Whereas reading whole files is more of interest to
a Defender.
There can be some places worth setting an exception. If your mail tool
stores messages as separate .eml files, you could have a hundred thousand
of those, and any time the email tool scans the email store, that's
going to make Defender nuts and the activity will slow to a crawl.
Then you have to make the decision, whether disabling real time on
that folder is a necessary thing or not. Again, if your email
becomes basically unusable due to parallel scanning activity,
it's not much of a computer if you can't use it.
But I would avoid random vacuous application of Exceptions.
Exceptions are not the new breakfast cereal. They're to be
used with thought and reflection, balancing security versus
abysmal performance.
Paul
Just as a general observation, the "claimed" CPU usage of that executable
is small, yet the amount of total I/O it has done, is pretty impressive,
for something not using a lot of CPU. The I/O has happened
over many hours.
[Picture]
https://i.postimg.cc/dVcgppjN/msmpeng-activity.gif
The Sysinternals Process Explorer is available here. It can be run
as Administrator, for some activities this gives a bit of extra info,
but Administrator is not needed for casual usage like in the picture.
The CPU usage includes two digits after the decimal, which is useful.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Does MSMPENG.exe slow down the machine ? You bet your ass it does.
But it shows up, when you attempt to read files.
As an example, you may have a copy of hashdeep64.exe or md5deep64.exe ,
which is a program that can generate a checksum value for each and
every file on a PC. The poor "hashdeep" runs at about 14% of normal
speed, when Defender is finished scanning the shit out of each
file as it is being read. This is where you are losing the performance.
The real time performance, when your activities do high I/O, is
slowed considerably by Defender.
But at the background scan level, which is what the top picture is demonstrating, it should not be making the system particularly laggy.
When running high I/O programs, you have to go to the security panel
and "disable Real Time scan", for those activities that you suspect
are innocuous. While malware could come out of hiding while you
have the Real Time scan disabled, it's not much of a computer
if I/O activity is being strangled.
Not all I/O activity is necessarily scanned to the same extent.
If you run a Macrium Reflect backup while the OS is running,
the I/O there is at cluster level, and scanning the shit out
of individual clusters isn't particularly an effective security
measure. Whereas reading whole files is more of interest to
a Defender.
There can be some places worth setting an exception. If your mail tool
stores messages as separate .eml files, you could have a hundred thousand
of those, and any time the email tool scans the email store, that's
going to make Defender nuts and the activity will slow to a crawl.
Then you have to make the decision, whether disabling real time on
that folder is a necessary thing or not. Again, if your email
becomes basically unusable due to parallel scanning activity,
it's not much of a computer if you can't use it.
But I would avoid random vacuous application of Exceptions.
Exceptions are not the new breakfast cereal. They're to be
used with thought and reflection, balancing security versus
abysmal performance.
Paul
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 508 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 233:06:03 |
| Calls: | 9,984 |
| Calls today: | 2 |
| Files: | 13,833 |
| Messages: | 6,359,841 |
