Hey everyone,
I'm the only IT admin for a small company with around 50 users, and we've mainly been focused on developing a software product that we sell. Recently, we had to transition to Microsoft Defender due to an urgent situation, which means we're now fully integrated into the Microsoft Cloud ecosystem (using tools like Intune and Entra).
After some time, I got our setup to a decent place, but there's one persistent problem I can't seem to fix. Our in-house software, which is based on .NET and doesn't have a setup installer, has been running incredibly slowly— around five times slower than it used to be. It used to take about 10-15 seconds to start up, and now it's more like 1-2 minutes.
Though we digitally sign the code, which improved things a bit, it's still not enough. I believe the issue is related to Microsoft Defender flagging our application, especially since it loads numerous .dll files dynamically, which triggers excessive scanning from MsMpEng and/or Sense.
I've tried various solutions:
- Whitelisting directories
- Implementing a WDAC policy to mark all our filenames as trusted
- Exclusions for processes crucial to our build and runtime, like MSBuild and node.exe
Unfortunately, none of these have significantly improved the situation. After troubleshooting with Microsoft, their response was that this slowness is by design and there's not much I can do. I've even consulted with another company for additional help, but they've come up empty-handed as well. We did see slight performance improvements in a test setup where everything was digitally signed, but it's still not close to our previous performance.
I've noticed that the performance recordings show that starting the application triggers low fidelity alarms, and I'm unsure if fixing this will actually help with our performance issues.
Has anyone else faced similar problems? Should I consider removing Defender from our developer machines, or is there a workaround so that we don't compromise security for everyone else? Any thoughts or advice would be greatly appreciated!
4 Answers
Hey there! I totally feel your frustration. It sounds like your development team could optimize their processes a bit more. Have they looked into signing not only the installer but also the app and all associated .dlls? The low fidelity alerts might be due to the software lacking a good reputation because it’s in-house. Ensuring everything is signed could clear some of that up. Also, double-check if your exclusions cover all parts of Defender, including real-time scanning and ASR settings — just folder exclusions might not cut it!
You mentioned the old performance levels—you should try running your application on older Windows versions or even a machine without Defender to compare results. If it runs well without Defender, that insight can definitely help you make a case for your dev team to reconsider their setup. And on the coding side, how about looking into multithreading for loading your .dlls? It could drastically speed up your application launch time if not already implemented!
Right? I noticed a big difference when I implemented multithreading too. It’s something your developers should definitely explore further!
I can relate! You might also want to consider setting up Dev Drives, especially if you’re on Windows 11. They come with default exclusions from scanning and can perform better with ReFS instead of NTFS. The goal is to create a clean environment that's less interfered with by Defender. This might speed up your app and make life a bit easier for your dev team. Just make sure you push for packaging the software into installers for the production side too; it’d help enhance performance too.
Good call on the Dev Drives! I was hoping that you'd leverage that in your setup, but also remember to keep pushing for those signed installers—once your devs sort that out, you'll likely see big improvements.
Have you checked if you're running into issues with EDR (Endpoint Detection and Response)? You might need to navigate the Microsoft portal to enable EDR exclusions specifically. That could help out a lot since standard folder exclusions can sometimes miss the mark. And if your bad performance persists, setting up a non-Defender environment might help you pinpoint whether the issue really lies with Defender itself.
Yeah, didn’t realize until lately that EDR exclusions were a different beast. Definitely reach out to Microsoft about that — worth a shot if you’re running into these performance walls!
Yeah, I second this! Signing everything and creating thorough exclusions should be a priority. It really helps in reducing false positives and making things smoother.