Windows Defender Obfuscated Logs

Question

Is it possible to de-obfuscate / read the following log files?

C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results

\Quick

\Resource

\System

(this applies to both Server 2019 and Windows 10)

I am running into 2 scenarios where Defender is

a) Using a enough CPU on a hyper-v host that it briefly affects the VM performance

b) Locking an entire hard-drive (not OS drive) for an extended period while it reads the entire MFT, we know it is because we caught it in the act doing it sequentially with procmon.

Claire

Answer 1

In case you have a performance issue with Microsoft Defender, you have to use New-MpPerformanceRecording to analyze it.
You may have a look at:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus
There is no need review that file.

Answer 2

Hello

Thank you for your question and reaching out. I can understand you are having query related to Defender logs

Right-click on the Start button and choose Event Viewer. Then navigate to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational:

Logs Locations

C:\ProgramData\Microsoft\Windows Defender\Support\

C:\Users\All Users\Microsoft\Windows Defender\Support\

C:\Windows\Microsoft Antimalware\Support

C:\ProgramData\Microsoft\Windows Defender\Offline Scanner

-----------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--