How to monitor Windows Defender real time protection?

windows-10 windows-defender

I love how Microsoft made third party anti virus protection obsolete with Defender - it just works.

Unfortunately for me as a developer this sometimes means it works a bit too well, and slows down processes I know are secure - for example Gradle builds in Android Studio. I know I can exclude some files and processes from the scanning - but I don't actually know which ones to exclude. The UI of Android Studio? OpenJDK? My Android Emulator?

Some other anti virus product like Avira offered a view of files and programs that it scanned, even offering direct "exclude from scan" buttons.

Is there a way to monitor what real time protection is scanning, which files or processes are causing it to spin up and max my CPU?


You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

  1. Run ProcMon as administrator.
  2. Open the Filter (Filter > Filter...).
  3. Create a Filter where Process Name - is - MsMpEng.exe then Include.
  4. Click Add and OK.

Your list should now filter and you can view and log files the engine touches as it touches them.

Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.

ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.

However I think you're complicating the problem.

What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.

Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.


Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes in the Hacker dropdown menu.

From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.

Related

How to completely disable push notifications in Firefox?
Location of OpenSSH configuration file on Windows
Linux program to create a timeline diagram? [closed]
How to sign a PowerShell script easily?
What's the best way to share files between linux and windows 7 on a dual/multi boot computer?
How to make TAB work right in Command Window?
Is it possible to change the default encoding in notepad? [duplicate]
Finding out the time a filesystem was last mounted
Can you pull Excel data from an external (and dynamic) .csv file?
Mac Gnu-Screen doesn't load default .bash_profile
Echo text in a certain color in a shell script
How do I reload the terminal in Ubuntu?