How to monitor Windows Defender real time protection?
I love how Microsoft made third party anti virus protection obsolete with Defender - it just works.
Unfortunately for me as a developer this sometimes means it works a bit too well, and slows down processes I know are secure - for example Gradle builds in Android Studio. I know I can exclude some files and processes from the scanning - but I don't actually know which ones to exclude. The UI of Android Studio? OpenJDK? My Android Emulator?
Some other anti virus product like Avira offered a view of files and programs that it scanned, even offering direct "exclude from scan" buttons.
Is there a way to monitor what real time protection is scanning, which files or processes are causing it to spin up and max my CPU?
You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run ProcMon as administrator.
- Open the Filter (Filter > Filter...).
- Create a Filter where Process Name - is - MsMpEng.exe then Include.
- Click Add and OK.
Your list should now filter and you can view and log files the engine touches as it touches them.
Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.
ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.
However I think you're complicating the problem.
What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.
Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes
in the Hacker dropdown menu.
From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe
into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.