10

We have a Windows Server 2012 installation that we use as an internal web server. Most HTTP requests are very slow on this machine (about 15 seconds for a simple ASP.NET WebAPI request). We noticed that during a request, the process MsMpEng.exe's CPU usage is going to 50-90%.

MsMpEng.exe is Microsoft's Anti-Malware executable, included in Windows Defender, Forefront and Security Essentials. However, none of those products is installed on our server.

Where can we configure the Anti-Malware component of Windows Server 2012?

Jonas Sourlier
  • 303
  • 1
  • 3
  • 10

3 Answers3

8

We analyzed the problem with Sysinternals ProcessMonitor, where we saw that MsMpEng.exe consumes much CPU time analyzing the log files of our web application (written by NLog).

Since we could not find a GUI to exclude the log files from MsMpEng.exe's real-time monitoring, we added it using regedit.exe.

The solution was to create a DWORD entry at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths`

where the key of the entry is set to the full path of our log files (C:\inetpub\wwwroot\webapp\logs), and leaving the DWORD value at 0x00000000.

рüффп
  • 640
  • 1
  • 12
  • 25
Jonas Sourlier
  • 303
  • 1
  • 3
  • 10
3

You might find it under Endpoint Protection or System Center Endpoint Protection, there you can set excluded filetypes and such under settings.

Jim Wolff
  • 161
0

If you need to do this via PowerShell (I'm using Windows Server Core 2022), this article has examples using the Add-MpPreference and Remove-MpPreference so you don't have to deal with registry permissions (I kept getting "Requested registry access is not allowed").


# Folder path exclusion
Add-MpPreference -ExclusionPath "C:\inetpub\wwwroot\webapp\logs" -Force

File exclusion


Add-MpPreference -ExclusionPath "C:\inetpub\wwwroot\webapp\logs\log.log" -Force


File type exclusion


Add-MpPreference -ExclusionExtension ".log" -Force


Process exclusion


Add-MpPreference -ExclusionProcess "w3wp.exe" -Force

The Remove-MpPreference cmdlet takes the same arguments.

You can confirm the changes the same way with the registry contents:

dir 'HKLM:\Software\Microsoft\Windows Defender\Exclusions\'

Super helpful if you need to automate this.

kamranicus
  • 101