Windows Defender - Real time scan - SharePoint Server 100% CPU

Question

For couple of days Antimalware Service Executable started consuming approx 50% CPU usage and along with w3wp.exe server is running at 100% CPU.

Real-time protection is configured in Windows Defender Service and now it's scanning each and every request from SharePoint Request.

We have tried disabling the Real-time protection and Antimalware Service went down to 0% after disabling but after enabling it again goes up to 50%.

I tried to collect the stats with and collected the processes:

New-MpPerformanceRecording -RecordTo "Recording.etl"

and processes shows requests from SharePoint Server 2019 is scanned.

And TopScan shows all the response files are scanned including CSS, images, JavaScript files etc.

But the Process Name column is empty in the above screenshot for SharePoint Server requests.

We tried to configure Web Server Exclusion but no luck: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide#web-server-exclusions

Configured wildcard exclusion for exes in SharePoint hive but no luck: "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN*.exe".

Configure "SharePoint Server 2019" as a process in exclusion but it didn't work.

Does anyone know how to configure SharePoint Server requests in Windows Defender exclusion for Real-time scan? What will the process name to configure for exclusion?

Answer 1

Hi @Brijendra Gautam,

The exclusion you provide is for windows server but not for sharepoint. The following is a list of suggested locations to exclude from your scanner. Remember, this is merely a suggestion, so use at your own risk!

https://support.microsoft.com/en-us/office/certain-folders-may-have-to-be-excluded-from-antivirus-scanning-when-you-use-file-level-antivirus-software-in-sharepoint-01cbc532-a24e-4bba-8d67-0b1ed733a3d9?ui=en-us&rs=en-us&ad=us

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

It's essential to configure Windows Defender Antivirus exclusions correctly for SharePoint Server to optimize performance.

1. Excluding File Types and Directories:
   • Exclude specific file extensions used by SharePoint, such as .bak, .ldf, .mdf, .log, .xml, etc. For example, add *.bak;*.ldf;*.mdf;*.log;*.xml to your exclusion list.

Exclude SharePoint-related directories, such as:

 - `C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions`

 - `C:\Program Files\Microsoft Office Servers`

 - `C:\Inetpub\wwwroot\wss\VirtualDirectories`

2. Excluding SharePoint Services Processes:
   • Identify SharePoint processes like w3wp.exe (IIS worker process) and processes with names like Microsoft SharePoint Foundation Web Application.
   • Add the executable names (e.g., w3wp.exe) to the exclusion list for Antimalware.
3. Testing and Monitoring:
   • After configuring exclusions, closely monitor CPU usage and SharePoint's functionality to ensure they're not negatively impacted.

Hope this helps!

Answer 3

Finally found the problem source and solution, it was originated from September SharePoint patch in which "SharePoint Server Antimalware Scanning" feature on all the web application was automatically enabled and was causing Antimalware Service Executable to scan each and every incoming and outgoing files served from IIS to be scanned and was consuming CPU usage.

https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration

So, I've disabled it on the web application and it resolved the problem.

And finally I've removed all the exceptions set during my troubleshooting (mentioned in question and comment) and it's still working in as expected.

Answer 4

Hi @Brijendra Gautam,

I'm glad to hear you solve the problem ,if you have any issue about SharePoint, you are welcome to raise a ticket in this forum.

By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others." and according to the scenario introduced here: Answering your own questions on Microsoft Q&A, I would make a brief summary of this thread:

[Windows Defender - Real time scan - SharePoint Server 100% CPU]

Issue Symptom:

SharePoint Server 100% CPU usage

Solution:

It was originated from September SharePoint patch in which "SharePoint Server Antimalware Scanning" feature on all the web application was automatically enabled and was causing Antimalware Service Executable to scan each and every incoming and outgoing files served from IIS to be scanned and was consuming CPU usage.

https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration

Disabled it on the web application and it resolved the problem.

---

You could click the "Accept Answer" button for this summary to close this thread, and this can make it easier for other community member's to see the useful information when reading this thread. Thanks for your understanding!