New Update Microsoft fixes 5 year old Windows Defender bug that affected Firefox's performance

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,948

Windows Defender bug was causing high CPU usage in Firefox​


When Firefox was running, Windows Defender's Antimalware Service Executable would act up, causing its CPU Usage to rise significantly. Many users said that the performance was so bad that their PCs would lag when using the browser. Some people had compared the performance with other browsers such as Chrome and Edge, and found that it didn't affect them, the bug was limited to Firefox. The issue had been reported on Bugzilla 5 years ago (May 2018). That means it was not restricted to Windows 11, it also affected Windows 10.

Mozilla's engineers narrowed down the issue to the Antimalware Service Executable, which is Msmpeng.exe (Microsoft Malware Protection Engine). They discovered that the executable was accessing sechost.dll to run ProcessTrace, i.e. it was processing ETW (Event Tracing for Windows) from other processes. Essentially, it was generating way too many ETW events than normal, and was using 5 times more CPU power to do this with Firefox as compared with Chrome and other browsers.

Further investigations shed light on the root cause, Windows Defender's real-time protection was invoking VirtualProtect several times. Mozilla's engineers worked with Microsoft's team to solve the problem. They came to the conclusion that the calls to VirtualProtect were abnormally high, which in turn caused the performance issue. Mozilla's team pointed out that disabling JIT (in about:config) mitigated the problem, but didn't solve the CPU usage issue completely. The bug was later addressed by Microsoft, when it released a beta version of Defender's engine (1.1.20200.2). The fix has been tested for a while, and has now been pushed to the stable channel of the antivirus definitions.
You don't need to do anything, the bug has been patched in the March 2023 update that was released on April 4th. It bumps the app's version number to 4.18.2302.x, and patches the Engine to version 1.1.20200.4. To be more specific, that is the version number of the mpengine.dll file. The fix is also being deployed for Windows 7 and 8.1 users, even though they were not affected by the problem.

How to check if you have the latest version of the DLL? Go to the following folder, C:\ProgramData\Microsoft\Windows Defender\Definition Updates. It should have a folder with a long alphanumeric name, open it, and right-click on mpengine.dll. Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.
 

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,614
This is the bug I was talking about in @oldschool's config:
At that time, I didn't know that it's a known 5 year old thing. Later I even commented in the bug that this happens to Norton & Symantec products also:
The issue still remains in Norton. I guess like Microsoft they also need to work with Mozilla to come to a solution but don't know how collaborative they are. They are pretty careless unless something affects Chrome.
It's a shame that it took Mozilla 5 years to fix it. The issue is still not over yet from Firefox's side as another bug report has been opened immediately after closing the previous one to continue the work:
 

plat

Level 29
Top Poster
Sep 13, 2018
1,799
When I had this issue eons ago (cpu--10+% in Firefox--expected was 0% when idle), I blamed it on Sandboxie. Even the developer was looking into it.

Defender...sheesh. :rolleyes:

Wow--old post.


Thanks for this interesting news! We should be blaming Defender for everything more often (no, not really 😬).
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,948
From my point of view it’s rather a shame for both Mozilla AND Microsoft. When same issue would happen on Edge or Chrome, probably would be fixed by Microsoft within a few weeks 😉
I never had a similar issue with Firefox while using other 3rd party AVs, although honestly I have to admit never used Norton as my AV 🤷‍♂️

Thanks @SeriousHoax for inform us about this other report on bugzilla. Hopefully, that might be fixed earlier 🤨
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top