Defender AV Performance Analyzing Using Powershell

Hello, Everyone! So in this blog, I will explain how to use Powershell to run a performance analyzer for Microsoft Defender Antivirus. In my previous blog, I explained how to use Procmon for Performance analysis.

Microsoft defender AV provides always-on, real-time protection and on-demand scans on files to protect them from any malicious entries, sometimes the scans take a while especially I had seen when developers build their code defender AV will scan all the activities which will slow down the system performance and it might take longer for them to complete the build, in these cases performance analyzer tools will help us to identify the defender AV scanning activities and will help to define some exclusions which will improve the performance.

Microsoft had provided this as a feature from platform 4.18.2108.7 and above so make sure you are running the right platform to use this feature, and we don't want to install it separately like procmon, The PowerShell command-line tool will help to collect the performance recording an individual endpoint and reports information for top scans, processes, file and file extension which ate most affected by Defender AV, Here I will use Android Studio and will run performance analyzer to see the activity of Defender AV scan

Minimum requirements to run this tool

Supported Windows Version: Windows 10,Windows 11 and Server 2016 and Above
Platform Version:4.18.2108.7 and above 
Powershell version: PowerShell Version 5.1 

There are two PowerShell cmdlets used for performance analysis of defender AV

1. New-MpPerformanceRecording
2. Get-MpPerformanceReport

Step 1: To start a performance recording you need to start PowerShell with elevated administrator privilege and use the PowerShell cmdlet

New-MpPerformanceRecording -RecordTo (Specify the path to store the recording)

this will start recording during this time run the build or the other task which you think the cause of performance impact so that the performance analyzer can capture that

when you have finished capturing, press <Enter> or <Ctrl-C> to stop the recording and it will be saved in the location mentioned

Now the recording is saved in ETL format

Step 2: Now the recording is saved we can use the below PowerShell Cmdlet to read the Performance Recording

Get-MpPerformanceReport [-path] (specify the path where recording is saved )  <String>

Below are the parameters for cmdLet Get-MpPerformanceReport

You can read the report based on Specific Parameters for example to check the top 20 files scanned by Defender VA, based on the query you can view data for scan counts, duration (Total/Min/Average/max/Median), path, and process

You can use nested grouping to get a more detailed report for example if you need to know which are the top processes that impact the AV scan time and the top scans associated with each you can run the below command

Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopProcesses 2 -TopScansPerProcess 3

In my case, I am looking for the top Two processes and the top Three scans associated with those processes, you can use nested grouping for TopProcesses, TopFiles, TopExtensions, TopScans, and with MinDuration.

You can use the below commands for each value, You need to provide your recoding saved location.

1. Top Three files

Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopFiles 3

This will display the top three file paths scanned by defender AV you can change the value from three to as per your preference.

2. Top Three Extensions

Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopExtensions 3

3. Top Five Processes

Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopProcesses 5

4. Top Ten Scans

Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 10

5. Top Twenty Scans in Minimum Duration of 100MS (-MinDurations can be used along with other parameters)

Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 20  -MinDuration 100Ms

You can use nested parameters for the more granular report as I mentioned earlier from the available syntax.

Converting & Exporting the Report to CSV & JSON

You can export or convert the report to CSV or JSON file

To Covert to CSV

 (Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 20).TopScans | ConvertTo-Csv -NoTypeInformation

To Convert to JSON File

(Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopScans 5).TopScans | ConvertTo-Json -depth:1

To export to CSV

(Get-MpPerformanceReport -Path C:\temp\Recording_Build.etl -TopProcesses 2000).TopProcesses | Export-Csv -Path C:\temp\Processes.csv

File Output example

Reference

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide#get-mpperformancereport