Microsoft Zaps 5-Year-Old Defender Bug, Reduces CPU Usage by 75% in Firefox

Firefox Logo
(Image credit: Shutterstock)

A performance-sapping conflict between Mozilla Firefox and Microsoft Defender was first discussed on Bugzilla half a decade ago. However, Firefox users can now rejoice, as Mozilla devs and Microsoft worked together to release an update to MsMpEng.exe (a core process of Windows Defender), which is currently being rolled out. Troubled users should notice a significant improvement after the update, with "a ~75% improvement in CPU usage from MsMpEng.exe when browsing with Firefox," according to senior Mozilla software engineer Yannis Juglaret.

So, what has been happening, and why was there an awful interaction between Firefox and Microsoft Defender? Microsoft acknowledged a problem with MsMpEng.exe using too much CPU time when Windows Defender's real-time Protection feature is spurred into action. This change has helped cut the CPU usage observed by Firefox users significantly.

Before and after Microsoft's patch (Image credit: Mozilla)

The Firefox app was particularly hard hit by the Microsoft bug, as the browser is said to generate up to 7x more Event Tracing for Windows (ETW) events compared to competitors (Edge, Chrome etc). It sends these ‘VirtualProtect’ calls to the antivirus / anti-malware provider to try and keep the browser safe from harm as it roams the web.

Though Microsoft’s patch of MsMpEng.exe helps a lot, as you can see from the above-quoted figures, Mozilla devs acknowledge that “We should try to reduce the number of events that Firefox generates, which will reduce the CPU usage from [all] AV software.” 

With this in mind, it is also worth noting that other AV solutions, like those from Norton, will also consume a lot of CPU time due to the numerous (7x) Firefox calls for monitoring VirtualProtect. Thus, any program that calls VirtualProtect will benefit from Microsoft’s new MsMpEng.exe, not just Firefox.

An “Explosive” Waste of Time

Mozilla’s Juglaret summed up the prior situation most succinctly when he wrote, “This problem has two sides: Microsoft was doing a lot of useless computations upon each event; and we are generating a lot of events.” He then underlined the impact, “The combination is explosive.”

Using more processing power than necessary is a common irritation for computer users. Those using laptops away from a power outlet will want to avoid CPU-eating applications when there are more efficient alternatives. Meanwhile, if the problem is widespread enough and runs long enough, the math is also scary for desktop users. For example, Hacker News forum members have estimated the energy wasted by Microsoft’s MsMpEng.exe, and the 300M+ users of Firefox could have easily eaten up the entire output of an average coal-fired power plant every day...

Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • frogr
    wasn't this "bug"slipped in by Microsoft years ago to slow the Firefox browser and force people to try Microsoft's browsers?
    Reply
  • RichardtST
    I wonder if this is the same bug that tried to kill Thunderbird (Mozilla email)? I could hardly read or write an email because of the lag. Adding a virus exclusion to the Thunderbird directory provided instant resolution. But that is not exactly a safe solution, of course. I'll have to try taking the exclusion back out...
    Reply
  • hotaru251
    just another reason to use Firefox now and avoid the Chromium browsers.
    Reply
  • Integr8d
    "It sends these ‘VirtualProtect’ calls to the antivirus / anti-malware provider to try and keep the browser safe"

    When you're on the practice field w/ your son, you don't tell him to 'try AND hit the ball'. You tell him to 'try TO hit the ball'.

    You're welcome:)
    Reply
  • SunMaster
    The old saying was «DOS ain’t done till Lotus won’t run».

    Microsoft will never change.

    And I will probably always cheer for the underdog - I hate monopolies.
    Reply
  • randomizer
    frogr said:
    wasn't this "bug"slipped in by Microsoft years ago to slow the Firefox browser and force people to try Microsoft's browsers?

    It would be pretty silly to slip in a bug affecting anything which make these API calls just to slow down Firefox.
    Reply
  • RedBear87
    hotaru251 said:
    just another reason to use Firefox now and avoid the Chromium browsers.
    I've been using Firefox since version 1.5 back in 2005, honestly I didn't know about this issue and it makes me wonder whether I should really keep sticking Firefox. At this point it mostly boils down to legacy addons and not liking to share my whole browsing history directly with Google's servers... when they blocked most extensions on Android I was already quite disappointed, albeit I've regained most of my extensions with the Nightly Builds since then.
    Reply
  • setx
    The solution is obvious, simple and was already available: kill MsMpEng.exe service and related kernel drivers.
    If you think you really need an antivirus – just install a decent 3'd party solution.
    Reply
  • randomizer
    setx said:
    The solution is obvious, simple and was already available: kill MsMpEng.exe service and related kernel drivers.
    If you think you really need an antivirus – just install a decent 3'd party solution.

    While the bug raised was about Defender, any AV that follows the same pattern for getting ETW event details could be affected to some degree.
    Reply
  • kyzarvs
    randomizer said:
    It would be pretty silly to slip in a bug affecting anything which make these API calls just to slow down Firefox.
    Is it really any different to the not-at-all-twaddle "Something went wrong so we had to reset your default browser preferences" update message?
    Reply