Next-Gen Antivirus scan considerations and best practices

This article explains the considerations and best practices for running full antivirus scans with Next-Gen Antivirus with XTP. This article outlines factors that impact scan performance and describes scenarios where increased resource consumption results in increased protection efficacy.

1. Overview
2. Protection efficiency and performance impact
3. Best practices and considerations
4. Scanning and throttling
5. Scanning and exclusions

OVERVIEW

Device performance is highly dependent on your environment. Naturally, running a full scan on a device with lots of complex content would lead to an increased time to completion. The following table summarizes scenarios where we've made decisions to use more system resources to increase our protection efficiency.

IMPORTANT

• If real-time protection is turned on, files are scanned before they are accessed and executed. Scan occurs regardless of where the files are located.
• Actual CPU usage may vary depending on the number of CPU cores, I/O performance, memory pressure, etc. Limiting CPU usage can cause full scans to take longer to complete, so customers should fine-tune this value depending on the actual CPU usage values obtained in their specific environment.

Device performance is an important factor in the rate of security event processing and the speed of file, network, and scan activities. A higher event processing rate equals higher performance impact with the Antivirus scanner. Different Antivirus software configurations can impact performance and protection. The following are Microsoft's recommendations:

• Configuring scan policies based on device type and role, for example, SQL Server Collection, IIS Server Collection, Domain Controller, Exchange Server, etc., is recommended.
• Avoid using domain controllers in a file server role. This lowers antivirus scanning activities on file shares and minimizes performance overhead.
• The antivirus engine has the file hash computation feature that computes file hashes for every executable file that is scanned if it wasn't previously computed. This has a performance cost, especially when copying large files from a network share.
• The full scan performance can be impacted by CPU throttling. Our recommendation is to leave CPU limit settings at the default.

IMPORTANT

• By design, the antivirus engine inspects the internal content type, as file extensions are often misleading and can be easily spoofed by attackers.
• The scanning performance is heavily dependent on the actual content type that is being scanned. In general, more complex file types require more time and cycles, while more unusual content types require even more time (e.g., JavaScript files).
• The performance analyzer tool helps determine files, file extensions, and processes that might be causing performance issues on individual endpoints during antivirus scans. If you are running Next-Gen Antivirus with XTP and experiencing performance issues, you can use the performance analyzer to optimize performance (see Performance analyzer for Microsoft Defender Antivirus).

The CPU usage limit, also known as CPU throttling, is used to set the maximum CPU usage for Next-Gen Antivirus on-demand scans. The CPU throttling setting is enabled by default and applies only to scheduled scans, and optionally to custom scans as well. It's recommended to fine-tune this setting, depending on the actual CPU usage values obtained in your specific environment (you can change the CPU Throttling in the HEIMDAL Dashboard -> Endpoint Settings -> Your GP -> Endpoint Detection -> Next-Gen Antivirus):

The CPU load factor for the antivirus engine isn't a hard limit but rather guidance for the scanning engine to not exceed this maximum. For this scan policy setting, you can specify a value as a percentage of the maximum CPU utilization during scan. The value of 0 or 100 indicates no throttling. For instance, if this value is reduced to 20, it implies that the scanning engine aims to keep the average CPU load of the system below 20% during the scan, and it takes longer to be completed.

• If you set the percentage value to 0 or 100, CPU throttling is disabled, and Windows Defender can use up to 100% of CPU during the scheduled and custom scans. This isn't recommended as it can lead to unresponsive apps and even overheating, so proceed with extreme caution.
• Changing the value has both pros and cons. Higher values mean the scans perform faster; however, it could slow down your system during the scan, while lower values mean the scan takes longer to finish, but you have more CPU resources available for your system during the scan. For instance, if you're running critical workloads on a server, this setting should be set to a value that doesn't interfere with the functioning of the workloads.

The Antivirus engine has a built-in optimization for content that is highly reputable (for example, signed by trusted sources). When it encounters such content, it simply shifts away from scanning the content to validating the signature to ensure the file wasn't tampered with.
Excluding certain locations from scanning can shorten the scan time. There are two types of exclusions: process exclusions and file/folder exclusions. Only file/folder exclusions apply to full scan. Scan exclusions should be carefully developed to reduce scan time while minimizing risk.

• Don't exclude compressed files if disallowed by your compliance requirements.
• Don't exclude the User Profile temp folder or the System temp folder, commonly used by malware:
  • C:\Users<UserProfileName>\AppData\Local\Temp\
  • C:\Users<UserProfileName>\AppData\LocalLow\Temp\
  • C:\Users<UserProfileName>\AppData\Roaming\Temp\
  • %Windir%\Prefetch
  • %Windir%\System32\Spool
  • C:\Windows\System32\CatRoot2
  • %Windir%\Temp
• The use of environment variables as a wildcard in exclusion lists is limited to system variables only. Don't use user-scoped environment variables when adding folder and process exclusions.