[German]In this blog post I like to take up a tiresome topic. It is about the performance and stability problems caused by virus scanners on Windows 10 clients as well as on server environments. What is the cause and what can I do?
The background to all of this: I have now been contacted twice by blog readers in March 2020 about the issues of Windows Defender as a performance brake on Windows Server 2016/2019. The blog readers have disabled Windows Defender on Windows Server 2016/2019 in order to work with reasonable performance. The whole issue has been addressed in the two articles linked at the end of this article.
Microsoft knows about the issues
When I researched the internet for alternative antivirus solutions for Windows Server (see my article Solution for slow start of Windows Server 2016?), I came across the Microsoft article Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows. The article was last updated in early March 2020.
The problem is that Windows Defender probably does not define exclude lists of files to be excluded from a scan. Then, for example, during update installation, the effect is that files in use would have to be scanned, but Defender cannot. This results in stability and performance problems. Windows Server 2016 may take an incredibly long time to restart during the installation of updates.
Instead of disabling Defender, Microsoft recommends in the linked support article what to do if you have stability and performance problems in Windows. The advice in this article applies to:
- Windows Server 2012, all editions
- Windows Server 2012 R2, all editions
- Windows Server 2016, all editions
- Windows Server 2019, all editions
- Windows 7, all editions
- Windows 8.1, all editions
- Windows 10, alle Editionen
and should apply to all virus scanners, not just Windows Defender. However, some third-party virus scanner vendors seem to do their homework and maintain exclusion lists of files to avoid such problems. Microsoft is well aware that there can be a performance problem with scanning files, especially updates. The company writes about this:
This article contains recommendations that may help an administrator determine the cause of potential instability on a computer that is running a supported version of Microsoft Windows when it is used together with antivirus software in an Active Directory domain environment or in a managed business environment.
Note We recommend that you temporarily apply these settings to evaluate system behavior. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version or settings of the antivirus software.
Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
It is therefore quite interesting what Microsoft is recommending within the article for administrators to test.
- When scanning certain files, problems with operating system performance and reliability may be experienced because of file locks.
- For this reason, Microsoft recommends that you exclude certain files from scanning for viruses, especially those related to updates.
For example, it is recommended that you scan the Windows Update database file or automatic updates (Datastore.edb) in the folder:
to be excluded from a scan. Disable scanning of the log files in the following folder:
Also disable scanning of Windows security files in the folder:
There are other files (group policy files, profile files) that may need to be omitted from the virus scan. The support article Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows lists more folders and files that should be excluded from the virus scan. There are also concrete recommendations on how to do this (for example, do not make a global exclusion based on a file name extension). In addition, Microsoft recommends a test to see whether individual measures bring about an improvement or not.
But there is more
During preparing this blog post I had a short mail exchange with German blog reader Alexander F., who provided me with hints for the article Windows Server 2019: Defender Performance Issues. Alexander wrote that ‘almost every enterprise antivirus software vendor integrates a so-called “Default Exclusion List” into their products’. The list specifies that certain directories and/or files of the operating system are excluded from a virus scan. These include the files specified in the above Microsoft support article.
For Windows Server 2016/2019, Microsoft has published this document, which addresses the exclusion criteria for real-time protection when using Microsoft Defender ATP.
Blog reader Karl has posted the following tweet in response to my article about the slow startup of Windows Server 2016 during update installation It indicates further exclusions that should be specified.
We all know how often 3rd party security solution trouble things.
Rather put these exclusions
I just upgraded my lab with 2020-03
2019 and core servers are your best friends.
— al Qamar (Karl Wester-Ebbinghaus) (@tweet_alqamar) March 28, 2020
Alexander F. also pointed out to me in his mail that depending on the product used, additional files belong on the “Default Exclusion List”. Here are some places where you can check if necessary.
Perhaps these sources will help reduce or eliminate the stability and performance problems associated with Defender, so that Defender deactivation is not necessary.
Alexander F. also writes that there is another problem when using alternative antivirus software. Normally Defender should be disabled completely as soon as a third-party AV solution is installed. Alexander F. (who uses Sophos AV products for customers) has observed that this does not happen completely. This incomplete deactivation is the reason why Alexander F.r on Windows Server uninstalls Defender (as shown in the following articles).