Windows Defender Antivirus Service causing CPU load spike

Question

We have a Windows 10 server which has under normal operating conditions, up to 150 open network connections. This is working in an industrial application maintaining control communication connections to a large array of physical machinery devices. The network configuration is such that each PC is physically connected to two switches to allow for a single switch failure, one NIC per switch. Each machinery device has two NIC's and the each is on a separate network segment. Choosing which path to communicate along is controlled by the industrial software on the device, effectively we have two separate networks, separate IP ranges. These are static-ip ranges and no DHCP is in use.

If we power off one switch to simulate failure, and test the fail-over control of the industrial software, we see a spike to 100% CPU load from the Windows Defender Antivirus Service. This lasts roughly 20s. Can anyone help us understand why the spike is occurring please?

These are non-domain devices, although there are Local GPO's defined, including Windows Defender Application Control. I'm not sure that's relevant but it seems worth mentioning.

Thanks!

Answer 1

Microsoft Defender will take actions and show such a behavior if there is abnormal behavior and I believe some of applications, drivers or networking activities seems to be suspicious or conflicting with the Microsoft Defender's engine. In case you know the location of your drivers or application, you may exclude them to test if it solved the issue.
In case you have access to internet, you may open the Feedback Hub app and report this issue , so the Windows team could investigate. You may use New-MpPerformanceRecording command in the PowerShell to collect data about performance issues in the Microsoft Defender. If you want to learn more about this command, have a look at:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus