[HN Gopher] Firefox engineers discover a Windows Defender bug th...
___________________________________________________________________
Firefox engineers discover a Windows Defender bug that causes high
CPU usage
Author : mconley
Score : 336 points
Date : 2023-04-05 18:48 UTC (4 hours ago)
(HTM) web link (bugzilla.mozilla.org)
(TXT) w3m dump (bugzilla.mozilla.org)
| SpaceManNabs wrote:
| I knew I wasn't hallucinating about windows defender.
| Osiris wrote:
| It used to be possible to disable real-time protection but know
| it's not. The UI toggle is only for a limited time and the Group
| Policy option doesn't work anymore.
| consumer451 wrote:
| Random thought:
|
| I am not sure what the at-scale energy use reduction of this bug
| fix will be, but...
|
| If I had a pile of money I would consider creating a special bug
| bounty style program for energy use reduction.
|
| This might be a very efficient way to reduce carbon output from
| personal and data center computing.
| howinteresting wrote:
| I agree. Windows Defender and Gatekeeper on macOS both have
| pathological performance characteristics in some cases -- $$$
| should act as a good incentive to figure them out.
| JoeAltmaier wrote:
| Funny how that sort of thing can work out. I was involved in an
| industrial optimization company years ago. Microsoft came out
| with power-save features in their new release.
|
| The staff at a metal-recycling company we were installing at,
| started complaining that the furnace would stop optimizing
| overnight. We investigated.
|
| The controller computer would go into power-save mode, which
| suspended our control app. So the furnace would just sit there
| wasting power and burning up electrodes.
|
| I calculated that during that week our furnace site wasted more
| power than all the power saved in America that year with power-
| save mode.
|
| It would literally have been better if _they 'd never invented
| power save mode_.
|
| So be careful how much fiddling around we do. The law of
| unintended consequences will bite you in the butt every time.
| wizofaus wrote:
| > It would literally have been better if they'd never
| invented power save mode.
|
| Only if you considered the purpose of power-saving mode to
| reduce total energy usage, vs to reduce amount of power (and
| consequent wear & tear) an individual machine uses. However
| that MS would release a feature like that which automatically
| kicks in on upgrade without any sort of consideration of what
| the machine was used for - it could be running life-support
| systems! - seems an issue. But I'd also expect a fair bit
| more diligence on behalf of engineers responsible for
| monitoring and maintaining systems that need 24x7 uptime.
| dylan604 wrote:
| >it could be running life-support systems!
|
| i shudder at the thought that a critical piece of life-
| support anything would be running a windows based OS.
| throitallaway wrote:
| https://www.youtube.com/watch?v=Uh64nPT7JWk
| ChuckNorris89 wrote:
| _> it could be running life-support systems! _
|
| Life support systems don't run windows. And if you're
| running consumer windows on anything critical, you fucked
| up.
| muststopmyths wrote:
| Or... the controller app could be written to prevent
| suspension via available APIs. If that wasn't an option, you
| could turn off power saving mode on the computer as well.
| JoeAltmaier wrote:
| Power save was a new thing. We were all learning.
| Dalewyn wrote:
| >So be careful how much fiddling around we do. The law of
| unintended consequences will bite you in the butt every time.
|
| Also known as: If it ain't broke, don't fix it.
| depereo wrote:
| I found a large company was publishing windows server
| templates to its private cloud clients with power saving mode
| enabled.
|
| The issue I was originally investigating was SQL timeouts;
| turned out the virtual servers were putting their virtual
| nics to sleep.
| paulryanrogers wrote:
| Isn't this more a failing of the operator: using a consumer
| grade OS for an industrial case?
| throitallaway wrote:
| I cringe whenever I see a BSOD or other usage of Windows on
| appliances in public. There are such better options
| available.
| ChuckNorris89 wrote:
| _> There are such better options available._
|
| Meh, I see Ubuntu black screens in public appliances as
| well.
| JoeAltmaier wrote:
| Such distinctions were not so available back then.
| jacquesm wrote:
| Absolutely they were. Plenty of real time options since
| the 80's.
| jacquesm wrote:
| Worse: a consumer grade OS with a reputation for blue
| screens and random reboots, remote updates and other
| niceties that you _really_ don 't want when you're
| controlling real world hardware.
| dijit wrote:
| be very careful what you define as "consumer grade",
| microsoft officially positions variants of windows as
| professional, industrial and enterprise grade.
|
| Linux as she is written comes with no warranty of anything,
| it is much more "consumer grade" than those variants of
| windows.
|
| I think even enterprise linux does not come with support
| for industrial applications.
|
| (I say this as a huge proponent of Linux supremacy)
| RcouF1uZ4gsC wrote:
| Is Windows Defender even worth enabling?
|
| It eats up a lot of CPU. It doesn't seem like much help in a
| default update enabled system where you are using a regular user
| account instead of an administrator account.
|
| In addition, anti-virus and real time scanning is itself
| potential surface area for an exploit (for example a few years
| back there was an exploit based on Norton antivirus email
| scanner).
| bobsmooth wrote:
| Enable it on your parents PC but you shouldn't need it.
| Dalewyn wrote:
| Yes.
|
| It uses next to no system resources (issues like this aside),
| it integrates perfectly with Windows (it comes from Microsoft,
| after all), it's reasonably effective (to the chagrin of AV
| vendors the world over), and it isn't intrusive.
| lapsis_beeftech wrote:
| Windows Defender is worse than nothing but in recent versions
| of Windows it is enabled by default, very difficult to disable,
| and may get re-enabled at any future software update.
| Narishma wrote:
| I don't think you can disable it anymore in recent versions of
| Windows unless you install another AV software.
| zokier wrote:
| Getting rid of Defender is one of the best reasons to buy 3rd
| party AV.
| ChuckNorris89 wrote:
| 3rd party AV is worse than defender
| Strom wrote:
| You can disable it. First you have to disable the tamper
| protection and real time protection in the GUI. Now the real
| time protection will come back automatically in some time,
| unless you do the following.
|
| If you have a Pro version of Windows there is a group policy
| setting for it. [1]
|
| If you have Home, you can achieve the same effect by manually
| tweaking the registry. [2]
|
| --
|
| [1] Computer Configuration > Administrative Templates >
| Windows Components > Windows Defender Antivirus > Real-time
| Protection
|
| [2] HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-
| Time Protection\"DisableRealtimeMonitoring"=dword:00000001
| Strom wrote:
| How many threats has it detected for you? I ran it for a decade
| or so and it caught exactly zero, so then I decided to disable
| it, because it makes file system access about 5-10x slower than
| it can be on my NVMe drive. Not bandwidth, but I/O syscalls. So
| things like node_modules become a real pain.
| ivanmontillam wrote:
| I've experienced a bug related to the on-disk real-time scanning
| of Windows Defender, but instead with 100% disk bandwidth usage
| for unreasonable amounts of time.
|
| I purchased a license of a proper antivirus software to avoid
| that bug and the performance issues gone away.
|
| When you install another AV software, Windows Defender steps down
| and leaves scanning to the 3rd-party security solution. I
| selected one of the most lightweight ones I could find. It has
| been a net win for me.
|
| One shouldn't need to do this, but it has worked so far, for
| years now.
| Cthulhu_ wrote:
| > I purchased a license of a proper antivirus software
|
| Which is that? For years (and come to think of it, this goes
| back to the 2000's or even 90's), AV / antimalware software
| comes across as scareware, using tricks to ensure you're afraid
| of not having it.
|
| And second, who here has ever had a virus in the past ten
| years?
| zokier wrote:
| There are some performance benchmarks for AV products:
|
| https://www.av-comparatives.org/tests/performance-test-
| octob...
|
| https://www.av-test.org/en/antivirus/home-
| windows/windows-10... (less useful..)
|
| AV comparatives has some other tests also that might be of
| interest to HNers:
|
| https://www.av-comparatives.org/tests/uninstallation-
| test-20...
|
| https://www.av-comparatives.org/tests/false-alarm-test-
| septe... (reason why you might not want to pick the fastest
| product..)
| jacobsenscott wrote:
| I agree AV software is essentially useless malware, but as to
| "who here has ever had a virus..." - well - the botnets are
| running somewhere.
| wizofaus wrote:
| Indeed, I wouldn't install anything from McAfee if you paid
| me too, given the way it automatically installs itself along
| with various other unrelated applications and the number of
| phishing emails claiming to be from McAfee (which presumably
| exist because their creator is aware of how often McAfee
| itself pushes similar messages out).
|
| I can't actually remember the last time any anti-malware
| software (built-in or otherwise) actually detected anything
| like a traditional virus, but there are plenty of computer
| users who are rather more trusting of links (including ones
| that download executables) in emails and the like. I don't
| doubt if I used a machine with all protection turned off and
| with the level of caution of a typical non-technical user
| it'd be hit with malware sooner or later. Most likely a
| browser plugin capable of reading passwords as I type them
| etc.
| ivanmontillam wrote:
| > Which is that?
|
| I purchased a license of ESET Internet Security, and full
| disclosure: back in early 2017, I worked at an ESET-licensed
| reseller as a Presales and Support Engineer, so I know how to
| fine-tune it and all the ins and outs.
|
| By nature, it's very lightweight (330 Mb RAM footprint), but
| you can fine-tune it even more if you want.
|
| > And second, who here has ever had a virus in the past ten
| years?
|
| We the people at HN are tech-savvy and of course will not get
| infected, but recently I spotted malware out-in-the-wild via
| Facebook Ads[0].
|
| Your usual grandma/grandpa using the computer to connect with
| loved ones and play Candy Crush Saga _will_ get infected, if
| they are not by now.
|
| Some people tell me: "bUt tHaT'S BeCaUsE ThEy aRe vIsItInG
| WeIrD SiTeS," well, even if you stick to the common social
| media sites and usual news sites, you _will_ get infected.
|
| I cannot emphasize this enough, but you're responsible of
| your own computer so I will not proselytize you into
| purchasing AV software.
|
| --
|
| [0]:
| https://twitter.com/IvanMontillaM/status/1604308301579051009
| Dalewyn wrote:
| >Some people tell me: "bUt tHaT'S BeCaUsE ThEy aRe vIsItInG
| WeIrD SiTeS," well, even if you stick to the common social
| media sites and usual news sites, you will get infected.
|
| I recall reading a study a few years back saying how it's
| safer to browse porn sites than it is to browse what most
| would call "common" sites such as retailers.
| [deleted]
| ivanmontillam wrote:
| Interesting, my assumption would be that porn sites must
| clean themselves from that malware-ish reputation,
| whereas "common" sites with low-end ad networks don't
| have it (but they are prone to gain it, because of
| careless/negligent ad bidder verification).
| Arrath wrote:
| > I've experienced a bug related to the on-disk real-time
| scanning of Windows Defender, but instead with 100% disk
| bandwidth usage for unreasonable amounts of time.
|
| Sophos does this on my work laptop with depressing regularity.
| At this point I just go grab coffee when the fans max out,
| cause I know the disk is similarly pegged and it'll be about as
| snappy as a bogged down Windows 98 machine until it finishes.
| miyuru wrote:
| I stopped using windows and moved to Fedora and Mac when I
| faced the same issue you faced. Cannot trust windows after
| shipping this perf bug and the modern standby bug.
| nabakin wrote:
| A bug pending for 5 years, wow
| bdcp wrote:
| TL;DR?
| boredumb wrote:
| Firefox engineers discovered a Windows Defender bug that causes
| high CPU usage.
| ape4 wrote:
| "This problem has two sides: Microsoft was doing a lot of
| useless computations upon each event; and we are generating a
| lot of events. The combination is explosive. Now that
| Microsoft has done their part of the job (comment 82), we
| need to reduce our dependency to VirtualProtect. Bug 1822650
| in particular will help with that."
| nier wrote:
| Firefox engineers discovered a bug in Windows Defender that
| causes high CPU usage.
| dakial1 wrote:
| [flagged]
| nvrspyx wrote:
| It was also fixed with a definition update in Windows Defender
| some time last month, so you probably have the update since
| these happen in the background and don't require any restart.
| You can check by going to:
| C:\ProgramData\Microsoft\Windows Defender\Definition
| Updates\{BUNCH-OF-NUMBERS}
|
| Right click `mpengine.dll`, choose Properties, click Details
| tab, and check to see if Product Version is >= 1.1.20200.3.
| Mine is 1.1.20200.4 and was updated in mid/late March. If the
| version is less than 1.1.20200.3, you can manually trigger a
| definitions update in Windows Defender under Virus & Threat
| Protection.
| marcodiego wrote:
| > a ~75% CPU usage reduction was noted when browsing YouTube in
| Firefox
|
| I wonder how many of the people who say "Firefox is significantly
| slower than chrome" are using windows... On my computer, Firefox
| IS slower than chrome but (with ad blockers enabled) by an
| insignificant amount. By still being "the last remaining mostly
| independent, maintained and reasonably popular browser" I'd
| prefer it to use over chrome even if it is a bit slower.
|
| Of course, ms is no longer the "old micro$oft" but their history
| on how they handle competitor browsers makes one think how much
| interest they could have in investigating and fixing such a bug.
|
| My takeaway is: prefer independent software as much as you can.
| boringuser2 wrote:
| Firefox is significantly slower than chrome.
|
| This usually doesn't matter, but you can immediately see it in
| any page that
|
| A) has a massive DOM
|
| or
|
| B) uses complex regular expressions that eat up the engine
| stkdump wrote:
| I've read that a number of times now, but I have trouble
| matching it to my perceptions. Can you point to a specific
| website where you notice that slowness and then describe what
| action is slower? (Initial load, clicking stuff, scrolling,
| etc.)
|
| Just as an example, loading jslinux.org for me in Firefox is
| about twice as fast than in Chrome. That might be a special
| case of course, because it is a very special type of workload
| that probably is not common on other websites. But I would
| love to see concrete examples of the opposite.
| 0000000000100 wrote:
| WebGL / Canvas heavy sites are typically significantly
| slower in Firefox compared to Chrome. Google Maps is a
| pretty good example of this.
| tomrod wrote:
| To be fair though, Google maps is an awful beast on any
| browser compared to older versions.
| crooked-v wrote:
| Put 10,000 or so event handlers with their own DOM updates
| on a page. Chrome will run it smoothly (taking up a huge
| amount of RAM in the process), Firefox won't.
| cptskippy wrote:
| What is the definition of huge amount of RAM? How does
| Chrome perform when it's RAM constricted? Are we blaming
| Firefox for poorly designed websites?
|
| It feels like this is a straw man constructed to bash
| Firefox, rather than a real world scenario.
| crooked-v wrote:
| Extremely poorly-optimized websites are far more common
| these days than even mildly performant ones.
| SketchySeaBeast wrote:
| Do you have an example of one with 10,000 event handlers?
| If the case where Firefox falls isn't real it doesn't
| matter that other sites suck (not arguing that fact).
| jldl805 wrote:
| That's not a specific site though.
| [deleted]
| kevingadd wrote:
| For our benchmark suites at work, Firefox and Chrome
| generally trade back and forth on who's faster. It's not a
| consistent 'chrome is fastest'. I'm sure there are specific
| websites where Chrome dominates but I've yet to see any
| evidence that we're still in the bad old days where Firefox
| was orders of magnitude slower on important stuff.
| bayindirh wrote:
| Firefox is slower than Chrome if and only if your DNS is not
| responding as fast. When backed by a performant DNS server,
| Firefox is generally faster than Chrome.
|
| Don't ask me how I know it.
| Cthulhu_ wrote:
| Both of which are more issues with the website than the
| browser, imo.
| rascul wrote:
| I just ran a test at https://browserbench.org/Speedometer2.1/
|
| Firefox scored 89.5 +-1.7
|
| Chromium scored 87.3 +-2.9
|
| I guess that means Firefox did faster for those tests. I don't
| use Chrome or Chromium based browsers in general so I don't
| know how they compare in "feel".
|
| I am on Linux.
| Karellen wrote:
| 79.3+-0.92 for me in Epiphany/Gnome Web
|
| Which is a lot better than I was expecting compared to
| Firefox/Chromium.
| zamadatix wrote:
| 80-90s feels low in general, my phone gets +300 on that.
| Maybe some funky CPU powersave interfering with the runs?
| SketchySeaBeast wrote:
| Hmmm, that seems like it's going to be super situational. It
| hit 160 +- 1.9 in Firefox, 236 +- 5.2 in Chrome. So results
| are all over the map.
| someNameIG wrote:
| On my base M1 MacBook Air FireFox is noticeably slower than
| Chrome/Edge/Safari.
| guelo wrote:
| Strange, I have the same laptop on a fast network and I can't
| tell the difference.
| pjmlp wrote:
| Firefox is slower than Chrome regardless of the OS.
| jandrese wrote:
| I have definitely noticed my laptop fans spinning up whenever I
| do Youtube on Firefox on Windows. I just figured the GPU
| acceleration was broken, but this makes sense. Certainly not
| the first time Windows Defender has consumed extraordinary
| amounts of system resources for simple tasks.
| dylan604 wrote:
| I've noticed that AWS Console will spin up the fans on my MBP
| running Firefox, specifically on the EC2 screen. None of the
| other Console screens spin up the fans like that. Viewing
| about:performance always shows the AWS tab running full tilt
| to the point I've jokingly assumed they're trying to spin up
| an instance via WASM ;-)
| olyjohn wrote:
| The "new" EC2 console is the biggest pile of crap.
| ThatMedicIsASpy wrote:
| On Linux I fixed issues by setting media.ffmpeg.vaapi.enabled
| true in about:config.
|
| From fan noise to none on youtube/twitch - chrome never made
| the fans spin.
| ziml77 wrote:
| It's not just Windows that it's worse on though. It doesn't
| perform well on macOS either. It's not as bad as it used to be
| when it had a horrible power draining interaction with display
| scaling on macOS, but it's still isn't as efficient as Chrome
| or Safari.
| jldl805 wrote:
| I use all three browsers (FF for personal, Edge for work and
| on my Surfaces, Chrome on my chromebooks). Edge on Surfaces
| is the fastest and tbh these days I like Firefox over Chrome
| in every way, and don't notice a speed difference. I consider
| myself a power user, for what it's worth.
| omnimus wrote:
| I have suspicion that lots of the "chrome is faster" is because
| devs optimise for chrome. More unique and "new" the API is the
| bigger the difference. Webgl is probably pretty different
| between browsers but nobody will bother to even look at webgl
| project in Firefox. It's pretty remarkable that such complex
| code can run pretty well in multiple different browsers.
|
| Another example Chrome has rel=prerender support and some
| libraries use it to make loading pages faster. Safari and
| Firefox don't support it. But it's progressive enhancement so
| why not use it. Result is that Chrome seems faster. There are
| probably many ways to make things faster on the other side but
| nobody will bother.
| solarkraft wrote:
| It's much much slower for me on macOS. But that's with all my
| extensions while I don't have as many on Chrome.
| nijave wrote:
| Firefox seems a little slower than Chrome on Linux but force
| enabling some of the GPU offload stuff seemed to help.
| LeoNatan25 wrote:
| Windows Defender itself is a bug that causes high CPU usage, by
| design. ;-)
| ravenstine wrote:
| Windows Defender is a long standing bug in the Windows operating
| system. ;)
|
| My impression is that its invention was for the sole purpose of
| eradicating the idea that Windows is insecure and prone to
| viruses, which explains why it can be overzealous and CPU hungry.
|
| I would only enable it for family members who don't know what
| they are doing. For some reason, I haven't needed any form of
| active virus scanning in something like 15 years. If it turns out
| I've been infected this entire time, the criminals sure are
| taking their time stealing my money, etc.
| thewataccount wrote:
| There's a misconception that you need to do something "stupid"
| to get a virus which is simply not the case. 0 days exist, and
| worms are still a thing (looking at you samba).
|
| A great example is Pytorch just recently had a supply chain
| attack, and installing the nightly version between December
| 25th and December 30th, 2022 - would result in your home
| directory getting uploaded including ssh keys.
|
| Chrome also just had a 0 day 2022 - CVE-2022-3075
|
| Pytorch supply chain attack via Triton 2022/2023 -
| https://www.bleepingcomputer.com/news/security/pytorch-discl...
|
| EDIT: Also there's a misconception that linux somehow doesn't
| get viruses - however the Pytorch attack affected linux users.
| Making a virus for windows gives you far more targets then
| linux, which is why they're far more common.
| bakugo wrote:
| > 0 days exist,
|
| And they're almost exclusively used in targeted attacks
| against valuable targets, because burning a 0-day to hack
| grandma's old laptop and steal her facebook password isn't a
| particularly good investment.
| longsword wrote:
| There will always be 0 days out there, but they will always
| be very expensive and rare. If you have the ressources to buy
| or find a 0-day, you definetly won't blow it by executing
| known malware, or other stuff, which falls under the detected
| by AV's. I really don't thing that having AV installed will
| protect any user from a 0-day.
|
| On the other side, you install a very invasive av software,
| which runs as privileged user and intercepts everything thats
| happening on your system. They even make a great target for
| malware by themself. Just recently ClamAV had a bug in it's
| file scanner, which let to an rce: CVE-2023-20032
| lionkor wrote:
| windows users will also happily "run as administrator", while
| a lot of linux users know not to do that in my experience
| ChuckNorris89 wrote:
| _> a lot of linux users know not to do that in my
| experience_
|
| _README.md : "to get this to work, curl or wget the
| following script and run it as sudo"_
|
| Linux users: Aye
| qup wrote:
| Yes, I have an absolutely pristine record and I have never,
| ever copy-pasted a script from the internet with sudo, or
| piped curl into bash because I'm lazy and I trust most
| github READMEs. Never.
| olyjohn wrote:
| Defender is designed to tick a box on enterprise security
| checklists. That is about all it really excels at. It keeps IT
| people happy because they don't have to deal with a third party
| for their shitty AV.
| squeaky-clean wrote:
| > who don't know what they are doing.
|
| I think this would describe the majority of computer users. And
| the majority of computer users are also using Windows.
|
| > I haven't needed any form of active virus scanning in
| something like 15 years
|
| Microsoft Defender antivirus was released alongside Windows 8
| in 2012. And it's essentially a rewrite of Microsoft Security
| Essentials which came included starting with Vista. If you
| haven't been explicitly disabling it, which your comment sounds
| like, you've been running one without knowing it for 16 years
| Dalewyn wrote:
| >Microsoft Defender antivirus was released alongside Windows
| 8 in 2012. And it's essentially a rewrite of Microsoft
| Security Essentials which came included starting with Vista.
|
| Not quite.
|
| Windows Defender was released together with Windows Vista,
| this was very rudimentary and only handled malware and
| spyware not unlike Malwarebytes, it did not handle viruses.
|
| Microsoft Security Essentials was released standalone
| sometime during Windows 7's era, this was fully fledged anti-
| virus.
|
| Microsoft Security Essentials was renamed Microsoft Defender
| and bundled with Windows starting from Windows 8, where it
| has stayed to this day.
| squeaky-clean wrote:
| You're right I was wrong about MSE which was the Windows 7
| era. But Windows Defender was released in 2005 and was a
| rebrand of Microsoft AntiSpyware, which itself was a
| rebrand of GIANT AntiSpyware.
|
| The version of Windows Defender that came with Vista was a
| bit different and included realtime scanning when
| executables were run.
| olyjohn wrote:
| They bought out the best AV product on the market, and
| initially it was amazing. They even improved on it at
| first, but then it started aging into the turd they is now
| Defender.
| uni_rule wrote:
| It's decent enough in the past 8-10 years that I don't bother
| with much free antivirus on my own or others' machines in the
| current year. It's a far cry from the Windows XP / 7 era where
| it was fucking useless and people got Ransomware or Rogues
| pretending to be AV's every other Tuesday just from using
| google images. Nowadays it is simply adequate for most people.
|
| At this point the only other antivirus I bother keeping an
| install of on my personal system is Malwarebytes free in case
| things really go tits up and I need to run it and rkill from
| safe mode.
| acdha wrote:
| > I would only enable it for family members who don't know what
| they are doing.
|
| The problem is that this also includes most people who think
| they know what they're doing. We're in the middle of a big
| change in how general purpose computers work and it's basically
| driven by accepting that people make mistakes, trusted sites or
| things like their URL shorteners or social media are
| compromised periodically, etc. Maybe you're really good at
| never visiting dodgy websites, always use an ad blocker, etc.
| ... but have you never installed the wrong Python, NPM, etc.
| package by mistake?
|
| Short term, something like Defender makes sense for most
| devices used for web or email. Longer term, I think we need
| more focus on sandboxing, hardware MFA, etc. so we aren't using
| systems so brittle that everything just falls apart if you make
| a mistake. I don't want the entire world to be iOS but the
| status quo sucked more.
| mconley wrote:
| TL;DR: Windows Defender had a bug that made certain system calls
| expensive on CPU cycles when Defender's Real-time Protection
| feature is enabled. After discovery, Mozilla reported this issue
| to Microsoft. Microsoft is releasing a patch that should result
| in lower CPU usage when using Firefox on sites like YouTube (a
| ~75% CPU usage reduction was noted when browsing YouTube in
| Firefox with the fixed version of Defender).
|
| It seems like the HN submission form truncated the # from the end
| of the URL I linked to, which linked to the relevant comment.
| I'll try that here:
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c82
|
| and
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c91
| Diggsey wrote:
| Well, also Firefox is making an excessive number of calls to
| that slow system call compared to other browsers (Chrome,
| Edge).
| zokier wrote:
| Well, it was fast system call until MS added AV hook to it.
| sfink wrote:
| My understanding is that until recently (January), V8 (inside
| Chrome & Edge) made a similar number of calls. The main use
| is making it so that JIT-generated code is not writable while
| it is executing. It's an important security measure. V8
| switched to a more recent mechanism (memory protection keys)
| that have been gradually getting support from the various
| OSes. But IIUC, they switched off the mprotect/VirtualProtect
| calls unconditionally, and added in the protection key stuff
| only where supported, which suggests that they left some
| configurations without any protection at all. SpiderMonkey
| (in Firefox) has not yet switched to the cheaper mechanism.
|
| I may have some of the details wrong.
|
| https://source.chromium.org/chromium/_/chromium/v8/v8.git/+/.
| ..
| nagisa wrote:
| pkeys are hardware-specific as far as I am aware, and at
| least last time I tried them didn't work on hardware as
| recent as zen 1.
| cjblack wrote:
| I'm curious how much excess energy has been consumed, and won't
| be consumed any longer, as a result of this improvement - even
| just limited to reduced CPU usage on Windows machines using
| Firefox to watch Youtube.
|
| I love thinking about the impacts of tiny improvements at scale
| like this, might do some napkin math on it later and see if I
| can come up with something in the right order of magnitude.
| 2ICofafireteam wrote:
| Next: Canadian cars and their daytime running lights.
| wongarsu wrote:
| Running lights during daytime seems to reduce crashes by
| about 5-10%, and crashes consume a lot of energy. Depending
| on crash severity there's at a minimum the wasted time for
| all involved parties and frequently the necessity for
| repairs (including the production of replacement parts,
| paint etc), and at the high end the involvement of
| emergency personnel and their vehicles, hospital beds,
| doctors, the production of entire new cars as replacement
| for totaled ones, etc.
|
| I'm not so sure that running lights isn't a net positive,
| especially with the introduction of LED lights.
| fsckboy wrote:
| firefox browser share is teeny tiny these days
| tomrod wrote:
| Teeny tiny multiplied by 7 Billion by 365 days per year by
| 24 hours per day by a fraction of a kW does add up.
| beAbU wrote:
| 7B people are not watching youtube on Firefox 24/7 365
| days a year.
| tomrod wrote:
| Correct. Some teeny tiny fraction of market share is. For
| the conceptual calculation, I refer you to my earlier
| comment.
| mulmen wrote:
| But at any given moment someone is.
| zokier wrote:
| Note that this issue is not exclusive to MS Defender, but
| likely all Windows AV products to varying degrees:
|
| > > I would also like to add that this high CPU usage issue
| while using Firefox is not exclusive to Microsoft Defender. _It
| 's an issue for Norton's AV products also_ and should be the
| same for Symantec Endpoint products too.
|
| > > So, you should also test them.
|
| > It is true that we should analyze the situation with other AV
| vendors, however, given the numbers shared above, and given how
| relevant it is to keep track of memory protection changes in
| order to detect malicious behavior, it is very likely that the
| explanation for Windows Defender _also applies (at least in
| part) to other AV vendors_.
|
| Can we get edit on the title?
| IronWolve wrote:
| It's not just mozilla, been working defender issues for the
| last few years on thousands of windows vm's. Mostly due to the
| enabling the more intensive heuristic real time engine and they
| have different code bases depending on versions installed on
| different windows builds, and patching does seem to trigger it.
| For months we had issues where we couldnt log into some vm's
| due to high cpu for defender, and had to bounce the vm and
| apply a temp defender fix.
|
| I think its a growing issue, as they mature/migrate their older
| code base, issues become less frequent.
| psychphysic wrote:
| I have malwarebytes premium and defender CPU usage is nearly
| 100% at times bringin Firefox to a halt. Chrome works
| fine..I've been blaming Firefox so far.
| Yoric wrote:
| In my experience (as a former Firefox dev), antivirus /
| antimalware software are really poorly behaved. They tend
| to:
|
| - require admin rights (which means that if they have
| vulnerabilities, it can take control of the entire machine,
| even if Firefox itself is sanboxed);
|
| - monkey-patch the Firefox executable in memory, which
| works (when it does) as long as the version of the software
| tracks closely the version of Firefox, which may or may not
| be the case;
|
| - ... and also decreases the memory-safety of Firefox,
| which makes it easier to pwn;
|
| - ... and also makes the crash reports unreliable;
|
| - install encryption certificates that are actually less
| trustworthy than Mozilla's, hence decreasing the security
| of https;
|
| - block Firefox and add-on security updates, also
| decreasing security;
|
| - install privileged add-ons, many of which are easy to
| exploit from any webpage;
|
| - ...
|
| Part of the work on Crash Scene Investigations was
| attempting to determine whether the crash was in Firefox or
| in code or in some bogus foreign code. Depressingly often,
| it was the latter.
|
| In your case, it's entirely possible that malwarebytes was
| simply untested on Firefox.
| jbritton wrote:
| I had always assumed that one application could not touch
| the memory of another application. Does running as Admin
| allow breaking this boundary?
| genocidicbunny wrote:
| > - monkey-patch the Firefox executable in memory, which
| works (when it does) as long as the version of the
| software tracks closely the version of Firefox, which may
| or may not be the case;
|
| This one was a frustratingly common cause of crashes when
| I worked in gamedev. So many crashes would end up being
| some overlay or antivirus monkeying about with memory.
| jodrellblank wrote:
| > " _Windows Defender had a bug that made certain system calls
| expensive_ "
|
| It also has a bug(?) which makes method calls 100x slower in
| PowerShell 7:
|
| https://github.com/PowerShell/PowerShell/issues/19431
| dang wrote:
| Ok, I've put that back in the URL above. Thanks.
| mgaunard wrote:
| [flagged]
| moonchrome wrote:
| This just reminds me of constant "things worked so fast on my
| Windows 95 machine back in the day with 16MB RAM". Meanwhile any
| piece of software could crash your PC and it did so regularly (I
| still keep spamming save in software because of those days) and
| internet was a pandoras box.
|
| I wonder how much overhead in modern OS/PC user experience comes
| from security/stability abstractions and tools.
| jacobsenscott wrote:
| I think it mostly comes from the fact that computers are so
| fast now people write apps without worrying too much about
| performance - apps have always grown to use whatever resources
| are available. But when you app had to run on a pentium with
| 16MB of memory - you actually had to work hard on performance
| because you had such limited resources.
| moonchrome wrote:
| Yes but people have this nostalgic rose tinted glasses of
| software from that era - it was hot garbage that crashed all
| the time because they had so many constraints. Yeah GC
| introduces a bunch of overhead - but it also means you don't
| get segmentation faults, memory corruption, etc.
|
| Modern software is much more reliable than the software from
| that era, people nowadays complain when a button isn't
| working - back then a button could randomly freeze my entire
| PC.
| throitallaway wrote:
| > it was hot garbage that crashed all the time because they
| had so many constraints
|
| Correlation != causation. I started using PCs heavily in
| the mid 90s, and yes "Illegal Operations" were abound.
| However, the SDLC has also come a long way with testing,
| automated QA, etc. Back then there was a lot more "wild
| west" going on for both hardware and software. Generally,
| practices are much more mature by default nowadays.
| flatiron wrote:
| And computers are so vastly different. We have these layers
| upon layers to deal with these differences. Back in the day
| it was just DOS and 386/486 then optimize the crap out of it.
| Even doom had their sound stuff done through a compatibility
| layer. Now a days you need to deal with multiple video cards
| and os and processors. Just easier to make a one and done
| solution and leverage it
| dylan604 wrote:
| >(I still keep spamming save in software because of those days)
|
| muscle memory prevents me from being able to type a semicolon
| without cmd-s being the very next keys typed.
| Sunspark wrote:
| Defender's Real-Time feature also creates 100% CPU usage when
| burning a Windows To Go ISO using Rufus. Need to turn it off or
| things will go slowly.
| pfoof wrote:
| An an experienced one-person IT department "Antimalware Service
| Executable" turns our laptops into rockets since always
| vezycash wrote:
| I suffered because of this problem until I remembered that it's
| possible to exclude firefox.exe process in defender.
| pwarner wrote:
| Every security app seems to have problems like this all the time,
| and they never seem to be able to detect them themselves.
| Security software that didn't suck would be a huge opportunity,
| and yeah as others have alluded too, a huge carbon emission
| reduction!
|
| I had two different IT mandated apps taking up a total of 3.5
| _complete_ CPU cores for a week before I undocked and noticed the
| fast battery drain. On an M1 no fan blast to alert me. It 's a
| terrible terrible state of affairs.
___________________________________________________________________
(page generated 2023-04-05 23:00 UTC)