Microsoft fixes 5 year old Windows Defender bug that affected Firefox's performance

Ashwin
Apr 7, 2023
Firefox
|
14

Microsoft has fixed a bug in Windows Defender that was leading to high CPU usage when Firefox was open. It only took the company 5 years to fix the issue.

Windows Defender bug was causing high CPU usage in Firefox

When Firefox was running, Windows Defender's Antimalware Service Executable would act up, causing its CPU Usage to rise significantly. Many users said that the performance was so bad that their PCs would lag when using the browser. Some people had compared the performance with other browsers such as Chrome and Edge, and found that it didn't affect them, the bug was limited to Firefox. The issue had been reported on Bugzilla 5 years ago (May 2018). That means it was not restricted to Windows 11, it also affected Windows 10.

Mozilla's engineers narrowed down the issue to the Antimalware Service Executable, which is Msmpeng.exe (Microsoft Malware Protection Engine). They discovered that the executable was accessing sechost.dll to run ProcessTrace, i.e. it was processing ETW (Event Tracing for Windows) from other processes. Essentially, it was generating way too many ETW events than normal, and was using 5 times more CPU power to do this with Firefox as compared with Chrome and other browsers.

Further investigations shed light on the root cause, Windows Defender's real-time protection was invoking VirtualProtect several times. Mozilla's engineers worked with Microsoft's team to solve the problem. They came to the conclusion that the calls to VirtualProtect were abnormally high, which in turn caused the performance issue.  Mozilla's team pointed out that disabling JIT (in about:config) mitigated the problem, but didn't solve the CPU usage issue completely. The bug was later addressed by Microsoft, when it released a beta version of Defender's engine (1.1.20200.2). The fix has been tested for a while, and has now been pushed to the stable channel of the antivirus definitions.

Windows Defender Firefox CPU usage before vs after bug fix

According to a comparison graph shared by a Mozilla engineer, Yannis Juglaret, the fix has a huge impact on the system's performance. There's nearly a 75% improvement, or should I say a 75% reduction in the CPU usage.

You don't need to do anything, the bug has been patched in the March 2023 update that was released on April 4th. It bumps the app's version number to 4.18.2302.x, and patches the Engine to version 1.1.20200.4. To be more specific, that is the version number of the mpengine.dll file. The fix is also being deployed for Windows 7 and 8.1 users, even though they were not affected by the problem.

How to check if you have the latest version of the DLL? Go to the following folder, C:\ProgramData\Microsoft\Windows Defender\Definition Updates. It should have a folder with a long alphanumeric name, open it, and right-click on mpengine.dll. Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.

Image credit: Bugzilla

It is worth noting that this patch only applies to Windows Defender, and not other antivirus programs, but some users have reported a similar issue with other security software such as Norton Antivirus. Mozilla is already working on more improvements to patch the issue with other security applications. (Refer: 1 and 2)

Have you noticed a similar issue on your PC? Did the update fix the issue?

Summary
Microsoft fixes 5 year old Windows Defender bug that affected Firefox's performance
Article Name
Microsoft fixes 5 year old Windows Defender bug that affected Firefox's performance
Description
Microsoft has fixed a bug in Windows Defender bug that was causing Firefox to use a lot of CPU resources.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. slawomir said on April 12, 2023 at 5:27 pm
    Reply

    How to check if you have the latest version of the DLL? Go to the following folder, C:\ProgramData\Microsoft\Windows Defender\Definition Updates. It should have a folder with a long alphanumeric name, open it, and right-click on mpengine.dll. Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.

    Select Properties and switch to the Details tab, and check the product version. It should say 1.1.20200.4.
    hi, i don’t have ” details tab” , it means i can not find this version ,regards slawomir

  2. Alex said on April 11, 2023 at 6:44 pm
    Reply
  3. Andy Prough said on April 9, 2023 at 12:10 am
    Reply

    I am shocked that Microsoft would do something so underhanded and dirty to a competitor browser. Shocked I tell you.

    1. Job Bautista said on April 11, 2023 at 10:23 am
      Reply

      Doesn’t seem to be intentional on Microsoft’s part. The main issue is that Firefox is making too many calls to VirtualProtect, which IIUC, Defender will do a check every time a call is made to that function. While MS does deserve a bit of flak here for being overzealous with the checks (and thankfully they fixed that on their end), Mozilla still needs to fix their browser to not call VirtualProtect so many times in the first place.

  4. Ed said on April 8, 2023 at 2:34 am
    Reply

    I wonder if this also affects Thunderbird. Sometimes my computer will get slow when Thunderbird is open.

  5. aa said on April 8, 2023 at 12:15 am
    Reply

    weird. i’ve never seen it do anything to me. only antivirus prog i run, and my cpu is pretty much always idle while browsing FF (except videos). – that process just uses 160 mb/s.

  6. CrazyHick7403 said on April 7, 2023 at 2:22 pm
    Reply

    Too late, I uninstall my Windows Defender as soon as I’m done with installing Windows. It’s a bit tricky and slow, but it’s worth it to get rid yourself of Microsoft’s malware.

    I also found an effective way to uninstall Microsoft Edge and prevent it from reinstalling itself like malware.

    It resides in a folder “C:\Program Files (x86)\Microsoft\”, so what I do is I uninstall it and delete this directory, then I create a new one called “Microsoft” on D:\ and go to Properties -> Security where I edit the permissions for the folder so nobody has access to the folder.

    Then before I move it to “C:\Program Files (x86)\” I have to right click it and select “Take Ownership” and only then I can move it.

    After restart, attempting to open the folder results in an error message “You don’t currently have permission to access this folder” and thus the malware that is Microsoft Edge can never reinstall itself on my computer.

    1. Anonymous said on April 7, 2023 at 6:17 pm
      Reply

      Username checks out.

    2. Rico said on April 7, 2023 at 2:59 pm
      Reply

      Which Antivirus and Browser do you use?

      1. Anon said on April 8, 2023 at 12:56 pm
        Reply

        If you’re a standard user, stick to Windows Security. There is absolutely no need to install any other antivirus, or uninstall Windows Security for that matter. Read this if you want to get a little better performance out of it:

        https://prod.support.services.microsoft.com/en-us/windows/options-to-optimize-gaming-performance-in-windows-11-a255f612-2949-4373-a566-ff6f3f474613

        Really, an adblocker is all you need for additional security nowadays. uBlock is fine on it’s own, but you could go one step further and install Privacy Badger and/or NextDNS.

      2. nerdycreepo said on April 11, 2023 at 4:34 pm
        Reply

        Ublock is a must have no doubt about that. but 0 day exploits don’t care about ublock. Ideally you would run Firefox inside Sandboxie to mitigate against those types of attacks and have umatrix setup to block java script by default. Keep safe browsing enabled and scan all downloads with virus total. Additionally one would mitigate IP probing attacks by connecting to the internet through a VPN service. You also must practice due diligence to make sure your router is configured correctly and up to date to prevent network level attacks. The ultimate way to keep your system safe is to connect to a cloud browser and have your daily operating system running inside virtual machine with linux as the host.

      3. CrazyHick7403 said on April 7, 2023 at 7:15 pm
        Reply

        @Rico,

        Brave and Opera and Avira Free. I personally don’t rely on my antivirus for other than alerting me of files it has detected. Why I don’t like Windows Defender is because it does whatever it wants, sometimes it deletes my files or puts them in quarantine without any notification and I waste some time trying to figure out what happened, sometimes it doesn’t even want to restore my files from quarantine and I’m forced to disable it until I do what I intended to.

        What I like about Avira is that as soon as it detect something, there is a notification in the lower right accompanied with a sound so I know what’s happening and if I want to restore the quarantined files, it works just fine.

        For browsers, I keep installers for both Opera and Brave on my computer so when I reinstall WIndows, I can install them without having to even open Edge just to download them.

        Edge has become the new IE – the best browser for downloading other browsers.

        I actually had hopes for Edge when it was in beta – it was really fast, lightweight and very promising, I had no idea Microsoft will bloat it so much and make it behave like malware.

        @Anonymous,

        Cope. xD

      4. Ravenid said on April 11, 2023 at 1:24 pm
        Reply

        You are joking right?

        You uninstalled defender and willingly installed Avira Free???!!!!

        The AV system with the pre-installed cryptominer Malware in it?
        https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/#:~:text=NortonLifeLock%20announced%20Avira%20Crypto%20in,2021.

        [Editor: removed, please stay polite]

  7. John G. said on April 7, 2023 at 1:17 pm
    Reply

    Five years. Nice speed for improvement and good high computer engineering tasks.
    Thanks @Ashwin for the article! :]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.