Microsoft fixes 5-year-old Defender bug that slows down Firefox

Mozilla[German]A few days ago, Microsoft fixed a bug in Defender that had been known for five years. The bug caused Defender to create a high CPU load on Windows when the Firefox browser was running. Users had to create an exception for Firefox in Defender to work around the problem. That is no longer necessary.


Advertising

The issue came to my attention last week at ghacks.net because Martin Brinkmann had picked it up in the following tweet and in the article Microsoft fixes 5 year old Windows Defender bug that affected Firefox's performance.

Fix for Firefox Defender-Bug in Windows

In May 2018, there was a thread in the Firefox Bugzilla section titled Antimalware Service Executable (Windows Defender) very active / high CPU when using Firefox with the following description:

I noticed that for some time now most of the time Firefox is active, the Windows 10 built in `Antimalware Service Executable` is using well above *30% of my CPU*, and is reading and writing random files in `Windows/Temp`, all starting with `etilqs_`.

This is considerably slowing me down and makes Firefox feel really slow.

I reproduced this in a new profile, and so far the only thing that helped is excluding the Firefox process from Windows Defender Antivirus. (something most of our users will probably not do)[…}

I am on Windowns 10 on Surface Pro 4, running the current Nightly[…}

The post was referring to nightly builds of Firefox – but it turned out after testing by Mozilla developers that Defender in Windows 10 (and also in Windows 11) was responsible for the CPU load. The antimalware service, Msmpeng.exe (Microsoft Malware Protection Engine) caused the problem because it accessed sechost.dll to run a ProcessTrace. This caused too many ETW events to run as normal. This consumed five times more CPU power with Firefox than with Chrome and other browsers. Many users reported that performance was so poor that their PCs stalled when using the browser.

Windows Defender's real-time protection – according to research – called VirtualProtect several times, which triggered the load. Mozilla developers cooperated with Microsoft and found that disabling the JIT compiler (via about:config) mitigated the problem, but did not completely fix the CPU load.


Advertising

Users had to define an exception in Defender that prevented Defender from scanning Firefox files. The bug was later fixed by Microsoft, and then tested with the beta version of the Defender engine (1.1.20200.2). The fix has now been included in the stable channel of antivirus definitions and rolled out widely. According to Ghacks.net, this update was rolled out broadly on April 4, 2023 with version 1.1.20200.4. Those who want to check whether the update is installed can find it in the path:

C:\ProgramData\Microsoft\Windows Defender\Definition Updates

There migt be a subfolder with a long alphanumeric name. The properties of the mpengine.dll stored there should show version 1.1.20200.4.


Advertising

This entry was posted in browser, Security, Windows and tagged , , . Bookmark the permalink.

2 Responses to Microsoft fixes 5-year-old Defender bug that slows down Firefox

  1. Chris Pugson says:

    The folder tree on my Windows 10 Pro 22H2 is :-
    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C56CE455-45A6-4BB6-8698-8490AA1AEC97}

    The properties of my system's copy of mpengine.dll stored there does should show version 1.1.20200.4.

    Yes, Firefox does seem distinctly livelier on my 2006 vintage Toshiba Satellite Pro P200 1.83GHz Intel Core Duo powered laptop. I wondered what had caused the improvement. Mystery solved.

  2. Synonymous says:

    https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c96

    "There has been some coverage in online news about the fix mentioned in comment 82. You may read online that Defender was making too many calls to VirtualProtect, and that global CPU usage will now go down by 75% when browsing with Firefox. This is absolutely wrong!

    The impact of this fix is that on all computers that rely on Microsoft Defender's Real-time Protection feature (which is enabled by default in Windows), MsMpEng.exe will consume much less CPU than before when monitoring the dynamic behavior of any program through ETW. Nothing less, nothing more.

    For Firefox this is particularly impactful because Firefox (not Defender!) relies a lot on VirtualProtect (which is monitored by MsMpEng.exe through ETW). We expect that on all these computers, MsMpEng.exe will consume around 75% less CPU than it did before when it is monitoring Firefox. Which is really good news."

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).