Microsoft fixes 5 year old Windows Defender bug that affected Firefox's performance
Microsoft has fixed a bug in Windows Defender that was leading to high CPU usage when Firefox was open. It only took the company 5 years to fix the issue.
Windows Defender bug was causing high CPU usage in Firefox
When Firefox was running, Windows Defender's Antimalware Service Executable would act up, causing its CPU Usage to rise significantly. Many users said that the performance was so bad that their PCs would lag when using the browser. Some people had compared the performance with other browsers such as Chrome and Edge, and found that it didn't affect them, the bug was limited to Firefox. The issue had been reported on Bugzilla 5 years ago (May 2018). That means it was not restricted to Windows 11, it also affected Windows 10.
Mozilla's engineers narrowed down the issue to the Antimalware Service Executable, which is Msmpeng.exe (Microsoft Malware Protection Engine). They discovered that the executable was accessing sechost.dll to run ProcessTrace, i.e. it was processing ETW (Event Tracing for Windows) from other processes. Essentially, it was generating way too many ETW events than normal, and was using 5 times more CPU power to do this with Firefox as compared with Chrome and other browsers.
Further investigations shed light on the root cause, Windows Defender's real-time protection was invoking VirtualProtect several times. Mozilla's engineers worked with Microsoft's team to solve the problem. They came to the conclusion that the calls to VirtualProtect were abnormally high, which in turn caused the performance issue. Mozilla's team pointed out that disabling JIT (in about:config) mitigated the problem, but didn't solve the CPU usage issue completely. The bug was later addressed by Microsoft, when it released a beta version of Defender's engine (1.1.20200.2). The fix has been tested for a while, and has now been pushed to the stable channel of the antivirus definitions.
According to a comparison graph shared by a Mozilla engineer, Yannis Juglaret, the fix has a huge impact on the system's performance. There's nearly a 75% improvement, or should I say a 75% reduction in the CPU usage.
You don't need to do anything, the bug has been patched in the March 2023 update that was released on April 4th. It bumps the app's version number to 4.18.2302.x, and patches the Engine to version 1.1.20200.4. To be more specific, that is the version number of the mpengine.dll file. The fix is also being deployed for Windows 7 and 8.1 users, even though they were not affected by the problem.
How to check if you have the latest version of the DLL? Go to the following folder, C:\ProgramData\Microsoft\Windows Defender\Definition Updates. It should have a folder with a long alphanumeric name, open it, and right-click on mpengine.dll. Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.
Image credit: Bugzilla
It is worth noting that this patch only applies to Windows Defender, and not other antivirus programs, but some users have reported a similar issue with other security software such as Norton Antivirus. Mozilla is already working on more improvements to patch the issue with other security applications. (Refer: 1 and 2)
Have you noticed a similar issue on your PC? Did the update fix the issue?
How to check if you have the latest version of the DLL? Go to the following folder, C:\ProgramData\Microsoft\Windows Defender\Definition Updates. It should have a folder with a long alphanumeric name, open it, and right-click on mpengine.dll. Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.
Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.
hi, i don’t have ” details tab” , it means i can not find this version ,regards slawomir
Update from Mozilla engineer: https://www.reddit.com/r/firefox/comments/12hxqjl/comment/jfs5tvy/
I am shocked that Microsoft would do something so underhanded and dirty to a competitor browser. Shocked I tell you.
Doesn’t seem to be intentional on Microsoft’s part. The main issue is that Firefox is making too many calls to VirtualProtect, which IIUC, Defender will do a check every time a call is made to that function. While MS does deserve a bit of flak here for being overzealous with the checks (and thankfully they fixed that on their end), Mozilla still needs to fix their browser to not call VirtualProtect so many times in the first place.
I wonder if this also affects Thunderbird. Sometimes my computer will get slow when Thunderbird is open.
weird. i’ve never seen it do anything to me. only antivirus prog i run, and my cpu is pretty much always idle while browsing FF (except videos). – that process just uses 160 mb/s.
Too late, I uninstall my Windows Defender as soon as I’m done with installing Windows. It’s a bit tricky and slow, but it’s worth it to get rid yourself of Microsoft’s malware.
I also found an effective way to uninstall Microsoft Edge and prevent it from reinstalling itself like malware.
It resides in a folder “C:\Program Files (x86)\Microsoft\”, so what I do is I uninstall it and delete this directory, then I create a new one called “Microsoft” on D:\ and go to Properties -> Security where I edit the permissions for the folder so nobody has access to the folder.
Then before I move it to “C:\Program Files (x86)\” I have to right click it and select “Take Ownership” and only then I can move it.
After restart, attempting to open the folder results in an error message “You don’t currently have permission to access this folder” and thus the malware that is Microsoft Edge can never reinstall itself on my computer.
Username checks out.
Which Antivirus and Browser do you use?
If you’re a standard user, stick to Windows Security. There is absolutely no need to install any other antivirus, or uninstall Windows Security for that matter. Read this if you want to get a little better performance out of it:
https://prod.support.services.microsoft.com/en-us/windows/options-to-optimize-gaming-performance-in-windows-11-a255f612-2949-4373-a566-ff6f3f474613
Really, an adblocker is all you need for additional security nowadays. uBlock is fine on it’s own, but you could go one step further and install Privacy Badger and/or NextDNS.
Ublock is a must have no doubt about that. but 0 day exploits don’t care about ublock. Ideally you would run Firefox inside Sandboxie to mitigate against those types of attacks and have umatrix setup to block java script by default. Keep safe browsing enabled and scan all downloads with virus total. Additionally one would mitigate IP probing attacks by connecting to the internet through a VPN service. You also must practice due diligence to make sure your router is configured correctly and up to date to prevent network level attacks. The ultimate way to keep your system safe is to connect to a cloud browser and have your daily operating system running inside virtual machine with linux as the host.
@Rico,
Brave and Opera and Avira Free. I personally don’t rely on my antivirus for other than alerting me of files it has detected. Why I don’t like Windows Defender is because it does whatever it wants, sometimes it deletes my files or puts them in quarantine without any notification and I waste some time trying to figure out what happened, sometimes it doesn’t even want to restore my files from quarantine and I’m forced to disable it until I do what I intended to.
What I like about Avira is that as soon as it detect something, there is a notification in the lower right accompanied with a sound so I know what’s happening and if I want to restore the quarantined files, it works just fine.
For browsers, I keep installers for both Opera and Brave on my computer so when I reinstall WIndows, I can install them without having to even open Edge just to download them.
Edge has become the new IE – the best browser for downloading other browsers.
I actually had hopes for Edge when it was in beta – it was really fast, lightweight and very promising, I had no idea Microsoft will bloat it so much and make it behave like malware.
@Anonymous,
Cope. xD
You are joking right?
You uninstalled defender and willingly installed Avira Free???!!!!
The AV system with the pre-installed cryptominer Malware in it?
https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/#:~:text=NortonLifeLock%20announced%20Avira%20Crypto%20in,2021.
[Editor: removed, please stay polite]
Five years. Nice speed for improvement and good high computer engineering tasks.
Thanks @Ashwin for the article! :]