Proposal: Restore the Defender tab in WPA - AntiMalware.regions.xml

[rayfo]

I propose to restore the Defender View Profile for WPA, including the Regions-of-Interest file: AntiMalware.regions.xml

BACKGROUND

• MSO-Scripts already enables Defender ETW providers which are public. Run: WPR -providers | findstr Antimalware See WPRP\Defender.wprp
• MSO-Scripts offers no direct way to visualize these public providers.
• The original MSO-Scripts included a WPA Profile for Defender: Internal\WPAP\Defender.wpaProfile and AntiMalware.regions.xml
• I deleted the Internal folder from the project.

HOW IT WORKS

• Defender events can be nominally viewed as Generic Events.
• The Defender events already contain human readable Task Names and Field Names such as: _AMFilterFileScan, _AMFilterCacheHit, etc.
• The Defender View Profile adds a Regions-of-Interest file: AntiMalware.regions.xml This organizes the Defender events into Begin/End pairs with friendly names which can be charted and tabled.

PROPOSAL

• It would be helpful to MS customers to understand when Defender activity impacts performance.
• Let's review and bring back Defender.wpaProfile and AntiMalware.regions.xml

[Leonid-Zakharov]

I agree that Defender information may be very useful for understanding performance issues and, for this reason, I support brining back Defender.wpaProfile and AntiMalware.regions.xml.

[rayfo]

More info on tracing Defender: AntiMalware.regions.xml has regions-of-interest for the following providers: 4ee76bd8-3cf4-44a0-a0ac-3937643e37a3 Microsoft-Windows-CodeIntegrity 8e92deef-5e17-413b-b927-59b2f06a3cfc Microsoft-Antimalware-RTP 0a002690-3839-4e3a-b3b6-96d8df868d99 Microsoft-Antimalware-Engine 751ef305-6c6e-4fed-b847-02ef79d26aef Microsoft-Antimalware-Service cfeb0608-330e-4410-b00d-56d8da9986e6 Microsoft-Antimalware-AMFilter (adding) 68621c25-df8d-4a6b-aabc-19a22e296a7c Microsoft-Antimalware-Engine-Instrumentation (adding / expensive!) 65a1b6fc-4c24-59c9-e3f3-ad11ac510b41 Microsoft.Windows.Sense.Client (adding)

NOTES:

• Microsoft-Antimalware-AMFilter
  • This ETW provider is publicly visible as a registered provider on a default Win10/11 install.
  • This provider needs to be added to the current Defender.wprp .
• Microsoft-Antimalware-Engine-Instrumentation
  • This ETW provider is publicly visible as a registered provider on a default Win10/11 install.
  • This is the most expensive of the 7 providers listed above.
  • This provider needs to be added to the current Defender.wprp .
• Microsoft.Windows.Sense.Client
  • This traces Microsoft Defender for Endpoint (generally for institutional clients)
  • This is a TraceLogging provider, and therefore it is not publicly visible via list of registered providers: WPR -Providers
  • This ETW Provider is publicly revealed in Microsoft's Defender for Endpoint client analyzer script-set, in: .\tools\SenseW10.wprp Download: https://aka.ms/MDEAnalyzer
  • This provider needs to be added to the current Defender.wprp . (It was in the original Internal\Defender.wprp)

[rayfo]

I have restored: .\WPAP\Defender.wpaProfile and AntiMalware.regions.xml

I created a new WPR Profile "AntiMalware" within .\WPRP\Defender.15002.wprp . It is tailored for the restored Regions-of-Interest file AntiMalware.regions.xml, plus a couple of particularly useful events. (I also updated the "DefenderFull" profile therein to contain a superset of these events.)

The profile "AntiMalware.Light" traces the following ETW Providers / Events:

  Microsoft.Windows.Sense.Client {65a1b6fc-4c24-59c9-e3f3-ad11ac510b41}     <all events>

  Microsoft-Antimalware-Engine {0a002690-3839-4e3a-b3b6-96d8df868d99}     1    ScanRequest - Start     2    ScanRequest - Stop     5    StreamScanRequest - Start     6    StreamScanRequest - Stop     30  UfsScanFile - Start     31  UfsScanFile - Stop     32  UfsScanProc - Start     33  UfsScanProc - Stop     43  ExpensiveOperation - Start     67  ExpensiveOperation - Stop

  Microsoft-Antimalware-AMFilter {cfeb0608-330e-4410-b00d-56d8da9986e6}     9    FileScan - Start     11  FileScan - Result

  Microsoft-Antimalware-RTP {8e92deef-5e17-413b-b927-59b2f06a3cfc}     23  DlpPerfOperation - Start     24  DlpPerfOperation - Stop     27  RTPFileScanResult - Useful

  Microsoft-Antimalware-Service {751ef305-6c6e-4fed-b847-02ef79d26aef}     1  ServiceOnDemand - Start     2  ServiceOnDemand - Stop

  Microsoft-Windows-CodeIntegrity {4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}     3007  PageHashFoundInImageCertificate - Useful     3011  LoadCatalog - Stop     3012  LoadCatalog - Start     3013  ReloadCatalogs - Start     3014  ReloadCatalogs - Stop     3015  ValidateFileHash - Start     3016  ValidateFileHash - Stop     3017  ValidatePageHash - Start     3018  ValidatePageHash - Stop     3038  ValidateImageHeader - Start     3039  ValidateImageHeader - Stop     3040  GetFileCache - Start     3041  GetFileCache - Stop     3042  SetFileCache - Start     3043  SetFileCache - Stop

The profile "Antimalware.Verbose" adds the following, very expensive ETW Provider. (It reveals expensive Defender behavior.)

  Microsoft-Antimalware-Engine-Instrumentation {68621c25-df8d-4a6b-aabc-19a22e296a7c}     1  DataDrivenSignature - Start     2  DataDrivenSignature - Stop

To confirm this, run:   WPR -ProfileDetails ".\WPRP\Defender.15002.wprp!AntiMalware.Light" -FileMode   WPR -ProfileDetails ".\WPRP\Defender.15002.wprp!AntiMalware.Verbose" -FileMode   WPR -ProfileDetails ".\WPRP\Defender.15002.wprp!DefenderFull" -FileMode

(Note that when Defender.wprp is specified in the script, Defender.15002.wprp will be loaded if it's WPR v10.15002+ .)

[rayfo]

I have changed the tracing scripts to refer to: .\WPRP\Defender.wprp!AntiMalware.Light   TraceCPU, TraceFileDiskIO, TraceMondo, TraceOffice, TraceOutlook, BETA\TraceEdgeChrome

These are the events from !AntiMalware.Light that I'm able to produce on my Win11 Service device at home:

  Microsoft.Windows.Sense.Client {65a1b6fc-4c24-59c9-e3f3-ad11ac510b41}     <all events>

  Microsoft-Antimalware-Engine {0a002690-3839-4e3a-b3b6-96d8df868d99}     1    ScanRequest - Start     2    ScanRequest - Stop     5    StreamScanRequest - Start     6    StreamScanRequest - Stop     30  UfsScanFile - Start     31  UfsScanFile - Stop     32  UfsScanProc - Start     33  UfsScanProc - Stop     43  ExpensiveOperation - Start     67  ExpensiveOperation - Stop

  Microsoft-Antimalware-AMFilter {cfeb0608-330e-4410-b00d-56d8da9986e6}     9    FileScan - Start     11  FileScan - Result

  Microsoft-Antimalware-RTP {8e92deef-5e17-413b-b927-59b2f06a3cfc}     23  DlpPerfOperation - Start     24  DlpPerfOperation - Stop     27  RTPFileScanResult - Useful

  Microsoft-Antimalware-Service {751ef305-6c6e-4fed-b847-02ef79d26aef}     1  ServiceOnDemand - Start     2  ServiceOnDemand - Stop

  Microsoft-Windows-CodeIntegrity {4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}     3007  PageHashFoundInImageCertificate - Useful     3011  LoadCatalog - Stop     3012  LoadCatalog - Start     3013  ReloadCatalogs - Start     3014  ReloadCatalogs - Stop     3015  ValidateFileHash - Start     3016  ValidateFileHash - Stop     3017  ValidatePageHash - Start     3018  ValidatePageHash - Stop     3038  ValidateImageHeader - Start     3039  ValidateImageHeader - Stop     3040  GetFileCache - Start     3041  GetFileCache - Stop     3042  SetFileCache - Start     3043  SetFileCache - Stop

TODO: Test this system on a corporate-managed device. Q: Is a corporate-managed device able to produce the other events listed as not tested above? Q: Do all of the !AntiMalware Start/Stop events show up correctly in the Regions-of-Interest graph/table ("AntiMalware" tab)? That is, is the Regions-of-Interest file correct in all cases? Q. Do all of the !AntiMalware events show up in the Generic Events table ("AntiMalware" tab)? Note that there is a filter-set on this tab:

Provider Name ... starts with ...   Microsoft-Antimalware   Microsoft-Windows-Sense   Microsoft.Windows.Sense   Microsoft-Windows-Sec   Microsoft.Windows.Sec   Microsoft-Windows-App OR equals...   Microsoft-Windows-CodeIntegrity OR contains...   Defender

Since the filter-set uses the Provider Names, this assumes that WPA is able to decode the ETW Provider GUIDs into Provider Names before filtering, even for TraceLogging providers, such as: Microsoft.Windows.Sense*

[rayfo]

Leonid says: BTW, speaking about Defender stuff, recently I had a long discussion with Defender team on excessive CPU usage in some Office services. Defender team advised us to collect additional diagnostics with their publicly available analyzer - see

• Download the Microsoft Defender for Endpoint client analyzer - Microsoft Defender for Endpoint | Microsoft Learn • Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn • Data collection for advanced troubleshooting on Windows - Microsoft Defender for Endpoint | Microsoft Learn

Besides Defender-specific logs, this analyzer collects very detailed ETW traces with a lot of Defender-specific events. Through analyzer, they publicly expose a big set of Defender events, so it should not be a concern for MSO-Scripts project. Also, I'm wondering, if there are some additional interesting Defender events not captured yet by your scripts.