How to monitor Windows Defender real time protection?
I love how Microsoft made third party anti virus protection obsolete with Defender - it just works.
Unfortunately for me as a developer this sometimes means it works a bit too well, and slows down processes I know are secure - for example Gradle builds in Android Studio. I know I can exclude some files and processes from the scanning - but I don't actually know which ones to exclude. The UI of Android Studio? OpenJDK? My Android Emulator?
Some other anti virus product like Avira offered a view of files and programs that it scanned, even offering direct "exclude from scan" buttons.
Is there a way to monitor what real time protection is scanning, which files or processes are causing it to spin up and max my CPU?
windows-10 windows-defender
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
add a comment |
I love how Microsoft made third party anti virus protection obsolete with Defender - it just works.
Unfortunately for me as a developer this sometimes means it works a bit too well, and slows down processes I know are secure - for example Gradle builds in Android Studio. I know I can exclude some files and processes from the scanning - but I don't actually know which ones to exclude. The UI of Android Studio? OpenJDK? My Android Emulator?
Some other anti virus product like Avira offered a view of files and programs that it scanned, even offering direct "exclude from scan" buttons.
Is there a way to monitor what real time protection is scanning, which files or processes are causing it to spin up and max my CPU?
windows-10 windows-defender
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
You should find out what process is responsible for the real time protection. Then you can monitor it with the performance monitor included in windows 10.
– marsh-wiggle
Oct 18 '17 at 17:09
Per the first answer this would be MsMpEng.exe - how could I monitor that with the included performance monitor?
– janpio
Oct 18 '17 at 20:56
performance monitoring: digital.ni.com/public.nsf/allkb/…
– marsh-wiggle
Oct 19 '17 at 6:32
Why don't you just exclude all the suspected folders? This will take much less time than analyzing file accesses.
– harrymc
Oct 19 '17 at 10:25
This might very well be the conclusion to draw at the end of this ;) (You might want to post it as an answer...)
– janpio
Oct 19 '17 at 10:49
add a comment |
I love how Microsoft made third party anti virus protection obsolete with Defender - it just works.
Unfortunately for me as a developer this sometimes means it works a bit too well, and slows down processes I know are secure - for example Gradle builds in Android Studio. I know I can exclude some files and processes from the scanning - but I don't actually know which ones to exclude. The UI of Android Studio? OpenJDK? My Android Emulator?
Some other anti virus product like Avira offered a view of files and programs that it scanned, even offering direct "exclude from scan" buttons.
Is there a way to monitor what real time protection is scanning, which files or processes are causing it to spin up and max my CPU?
windows-10 windows-defender
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
I love how Microsoft made third party anti virus protection obsolete with Defender - it just works.
Unfortunately for me as a developer this sometimes means it works a bit too well, and slows down processes I know are secure - for example Gradle builds in Android Studio. I know I can exclude some files and processes from the scanning - but I don't actually know which ones to exclude. The UI of Android Studio? OpenJDK? My Android Emulator?
Some other anti virus product like Avira offered a view of files and programs that it scanned, even offering direct "exclude from scan" buttons.
Is there a way to monitor what real time protection is scanning, which files or processes are causing it to spin up and max my CPU?
windows-10 windows-defender
windows-10 windows-defender
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
asked Oct 5 '17 at 15:33
janpiojanpio
2602620
2602620
You should find out what process is responsible for the real time protection. Then you can monitor it with the performance monitor included in windows 10.
– marsh-wiggle
Oct 18 '17 at 17:09
Per the first answer this would be MsMpEng.exe - how could I monitor that with the included performance monitor?
– janpio
Oct 18 '17 at 20:56
performance monitoring: digital.ni.com/public.nsf/allkb/…
– marsh-wiggle
Oct 19 '17 at 6:32
Why don't you just exclude all the suspected folders? This will take much less time than analyzing file accesses.
– harrymc
Oct 19 '17 at 10:25
This might very well be the conclusion to draw at the end of this ;) (You might want to post it as an answer...)
– janpio
Oct 19 '17 at 10:49
add a comment |
You should find out what process is responsible for the real time protection. Then you can monitor it with the performance monitor included in windows 10.
– marsh-wiggle
Oct 18 '17 at 17:09
Per the first answer this would be MsMpEng.exe - how could I monitor that with the included performance monitor?
– janpio
Oct 18 '17 at 20:56
performance monitoring: digital.ni.com/public.nsf/allkb/…
– marsh-wiggle
Oct 19 '17 at 6:32
Why don't you just exclude all the suspected folders? This will take much less time than analyzing file accesses.
– harrymc
Oct 19 '17 at 10:25
This might very well be the conclusion to draw at the end of this ;) (You might want to post it as an answer...)
– janpio
Oct 19 '17 at 10:49
You should find out what process is responsible for the real time protection. Then you can monitor it with the performance monitor included in windows 10.
– marsh-wiggle
Oct 18 '17 at 17:09
You should find out what process is responsible for the real time protection. Then you can monitor it with the performance monitor included in windows 10.
– marsh-wiggle
Oct 18 '17 at 17:09
Per the first answer this would be MsMpEng.exe - how could I monitor that with the included performance monitor?
– janpio
Oct 18 '17 at 20:56
Per the first answer this would be MsMpEng.exe - how could I monitor that with the included performance monitor?
– janpio
Oct 18 '17 at 20:56
performance monitoring: digital.ni.com/public.nsf/allkb/…
– marsh-wiggle
Oct 19 '17 at 6:32
performance monitoring: digital.ni.com/public.nsf/allkb/…
– marsh-wiggle
Oct 19 '17 at 6:32
Why don't you just exclude all the suspected folders? This will take much less time than analyzing file accesses.
– harrymc
Oct 19 '17 at 10:25
Why don't you just exclude all the suspected folders? This will take much less time than analyzing file accesses.
– harrymc
Oct 19 '17 at 10:25
This might very well be the conclusion to draw at the end of this ;) (You might want to post it as an answer...)
– janpio
Oct 19 '17 at 10:49
This might very well be the conclusion to draw at the end of this ;) (You might want to post it as an answer...)
– janpio
Oct 19 '17 at 10:49
add a comment |
2 Answers
2
active
oldest
votes
You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run ProcMon as administrator.
- Open the Filter (Filter > Filter...).
- Create a Filter where Process Name - is - MsMpEng.exe then Include.
- Click Add and OK.
Your list should now filter and you can view and log files the engine touches as it touches them.
Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.
ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.
However I think you're complicating the problem.
What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.
Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
1
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
|
show 3 more comments
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes in the Hacker dropdown menu.
From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256548%2fhow-to-monitor-windows-defender-real-time-protection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run ProcMon as administrator.
- Open the Filter (Filter > Filter...).
- Create a Filter where Process Name - is - MsMpEng.exe then Include.
- Click Add and OK.
Your list should now filter and you can view and log files the engine touches as it touches them.
Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.
ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.
However I think you're complicating the problem.
What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.
Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
1
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
|
show 3 more comments
You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run ProcMon as administrator.
- Open the Filter (Filter > Filter...).
- Create a Filter where Process Name - is - MsMpEng.exe then Include.
- Click Add and OK.
Your list should now filter and you can view and log files the engine touches as it touches them.
Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.
ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.
However I think you're complicating the problem.
What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.
Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
1
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
|
show 3 more comments
You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run ProcMon as administrator.
- Open the Filter (Filter > Filter...).
- Create a Filter where Process Name - is - MsMpEng.exe then Include.
- Click Add and OK.
Your list should now filter and you can view and log files the engine touches as it touches them.
Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.
ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.
However I think you're complicating the problem.
What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.
Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
You can do this using ProcMon from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Run ProcMon as administrator.
- Open the Filter (Filter > Filter...).
- Create a Filter where Process Name - is - MsMpEng.exe then Include.
- Click Add and OK.
Your list should now filter and you can view and log files the engine touches as it touches them.
Another tool that can add information to this process is Process Explorer, also from SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run ProcExp when you are running ProcMon and as you find entries in the ProcMon log that you suspect may be causing the slowness, find them in ProcExp's list of processes.
ProcExp shows applications in a hierarchical view ("tree view") that lists processes as parents and children. It also allows you to search for individual threads and in-use files and identify the process(es) that are using them.
However I think you're complicating the problem.
What you want to do first is identify and whitelist not each individual file being run in the SDKs and emulators, but the executables in the SDK and the emulators themselves that are running the files.
Do this first, and only proceed to whitelisting the individual files if the first step doesn't solve the problem.
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
edited Oct 19 '17 at 15:47
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
answered Oct 18 '17 at 17:09
music2myearmusic2myear
31.1k858100
31.1k858100
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
1
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
|
show 3 more comments
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
1
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
Awesome - and frightening. So much stuff... any other useful filter options? This only lists the files though, not the processes, correct? Any way to correlate this to CPU load of the process?
– janpio
Oct 18 '17 at 20:51
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
A process is a file in use, more or less. If you're looking for info on which processes you should whitelist, this will collect the necessary information for you. I don't see a simple way to view the CPU time involved in each process, though using Process Explorer (also from SysInternals) should help in that regard.
– music2myear
Oct 18 '17 at 20:55
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
I am not sure if I understand: I now have a list of files being accessed by this process. How do I go from the files to the process name to exclude? (unless it is obvious by the path of course)
– janpio
Oct 18 '17 at 20:59
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
Winword.exe is a file. It sits inside your Program Files. When you open a .doc file or click one of the various shortcuts to open Word, Winword.exe is opened and becomes a process. At that time, MsMpEng.exe grabs Winword.exe and checks it out and if the program passes the tests, it is allowed to run. If winword.exe was triggered by opening a .doc file, the AV also checks the .doc file.
– music2myear
Oct 18 '17 at 21:04
1
1
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
If you want to know the process (file in use) that is calling/running specific files, use Process Explorer and look for the file you see in the ProcMon logs in the ProcExp tree. This will show you which process called that file. You may want to check and see if it is more effective to exclude the processes that are running, or the files that are being called.
– music2myear
Oct 18 '17 at 21:18
|
show 3 more comments
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes in the Hacker dropdown menu.
From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
add a comment |
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes in the Hacker dropdown menu.
From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
add a comment |
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes in the Hacker dropdown menu.
From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
Process Hacker can be used to view the files that are being scanned as well. Once installed, run the program as an Administrator, or click Show details for all processes in the Hacker dropdown menu.
From there, go to the Disk tab. All files that are being read or written to will be displayed; any file in that list that says it is being read by MsMpEng.exe (Defender's main executable) is being scanned. It's easier to see what is being scanned if you paste MsMpEng.exe into the search bar at the top right of the window and then click the File column to sort alphabetically, as this filters the list so that only the files being scanned by Defender appear.
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
edited Nov 9 '17 at 14:04
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
answered Oct 20 '17 at 16:00
MoonRunestarMoonRunestar
268114
268114
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1256548%2fhow-to-monitor-windows-defender-real-time-protection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You should find out what process is responsible for the real time protection. Then you can monitor it with the performance monitor included in windows 10.
– marsh-wiggle
Oct 18 '17 at 17:09
Per the first answer this would be MsMpEng.exe - how could I monitor that with the included performance monitor?
– janpio
Oct 18 '17 at 20:56
performance monitoring: digital.ni.com/public.nsf/allkb/…
– marsh-wiggle
Oct 19 '17 at 6:32
Why don't you just exclude all the suspected folders? This will take much less time than analyzing file accesses.
– harrymc
Oct 19 '17 at 10:25
This might very well be the conclusion to draw at the end of this ;) (You might want to post it as an answer...)
– janpio
Oct 19 '17 at 10:49