It seems like the HN submission form truncated the # from the end of the URL I linked to, which linked to the relevant comment. I'll try that here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c82
and
I think its a growing issue, as they mature/migrate their older code base, issues become less frequent.
I love thinking about the impacts of tiny improvements at scale like this, might do some napkin math on it later and see if I can come up with something in the right order of magnitude.
It also has a bug(?) which makes method calls 100x slower in PowerShell 7:
> > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too.
> > So, you should also test them.
> It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.
Can we get edit on the title?
I may have some of the details wrong.
https://source.chromium.org/chromium/_/chromium/v8/v8.git/+/...
I wonder how many of the people who say "Firefox is significantly slower than chrome" are using windows... On my computer, Firefox IS slower than chrome but (with ad blockers enabled) by an insignificant amount. By still being "the last remaining mostly independent, maintained and reasonably popular browser" I'd prefer it to use over chrome even if it is a bit slower.
Of course, ms is no longer the "old micro$oft" but their history on how they handle competitor browsers makes one think how much interest they could have in investigating and fixing such a bug.
My takeaway is: prefer independent software as much as you can.
Another example Chrome has rel=prerender support and some libraries use it to make loading pages faster. Safari and Firefox don't support it. But it's progressive enhancement so why not use it. Result is that Chrome seems faster. There are probably many ways to make things faster on the other side but nobody will bother.
If I were Google, I would spend billions on making chrome showing ads really fast.
From fan noise to none on youtube/twitch - chrome never made the fans spin.
This usually doesn't matter, but you can immediately see it in any page that
A) has a massive DOM
or
B) uses complex regular expressions that eat up the engine
Just as an example, loading jslinux.org for me in Firefox is about twice as fast than in Chrome. That might be a special case of course, because it is a very special type of workload that probably is not common on other websites. But I would love to see concrete examples of the opposite.
Don't ask me how I know it.
Firefox scored 89.5 ±1.7
Chromium scored 87.3 ±2.9
I guess that means Firefox did faster for those tests. I don't use Chrome or Chromium based browsers in general so I don't know how they compare in "feel".
I am on Linux.
Which is a lot better than I was expecting compared to Firefox/Chromium.
Just for fun I also ran it on a Windows 11 mini-PC Ryzen 9 6900HX 3.3 GHz with no addons and obtained:
Edge: 291
Firefox: 196
I do not have Chrome installed but I believe Edge may be some fork of Chrome?
However, I had to disable some ff add-ons to get that score (chrome had no add-ons to begin with).
I have heard the most complaints from Mac and Linux users on HN and Reddit. Especially with Youtube...
Windows + Firefox is just fine in my experience. After the Quantum upgrade/version. Yes Chromium based Edge and Chrome is a bit faster, Opera and Vivaldi feel slower depending on the number of tabs.
Firefox and Edge handles many tabs the best from a performance perspective on Windows in my experience. Vivaldi is very close.
Anything without vertical tabs is impossible to use with many tabs.
I'm happy this was found and its not clear if this is already patched, but hopefully it will somewhat improve performance on youtube or other sites like it going forward.
My impression is that its invention was for the sole purpose of eradicating the idea that Windows is insecure and prone to viruses, which explains why it can be overzealous and CPU hungry.
I would only enable it for family members who don't know what they are doing. For some reason, I haven't needed any form of active virus scanning in something like 15 years. If it turns out I've been infected this entire time, the criminals sure are taking their time stealing my money, etc.
A great example is Pytorch just recently had a supply chain attack, and installing the nightly version between December 25th and December 30th, 2022 - would result in your home directory getting uploaded including ssh keys.
Chrome also just had a 0 day 2022 - CVE-2022-3075
Pytorch supply chain attack via Triton 2022/2023 - https://www.bleepingcomputer.com/news/security/pytorch-discl...
EDIT: Also there's a misconception that linux somehow doesn't get viruses - however the Pytorch attack affected linux users. Making a virus for windows gives you far more targets then linux, which is why they're far more common.
On the other side, you install a very invasive av software, which runs as privileged user and intercepts everything thats happening on your system. They even make a great target for malware by themself. Just recently ClamAV had a bug in it's file scanner, which let to an rce: CVE-2023-20032
And they're almost exclusively used in targeted attacks against valuable targets, because burning a 0-day to hack grandma's old laptop and steal her facebook password isn't a particularly good investment.
Do you think Defender would have helped with that? I'm highly doubtful.
What would probably have, is if MS's implementation of protected folders, or whatever it's called, wouldn't have been completely brain-dead.
> EDIT: Also there's a misconception that linux somehow doesn't get viruses - however the Pytorch attack affected linux users. Making a virus for windows gives you far more targets then linux, which is why they're far more common.
That's correct. But at least on Linux, if you're so inclined, you can spend a couple of hours setting up some AppArmor or SELinux profiles to prevent random crap for accessing ~/.ssh and ~/top-secret.
At this point the only other antivirus I bother keeping an install of on my personal system is Malwarebytes free in case things really go tits up and I need to run it and rkill from safe mode.
I think this would describe the majority of computer users. And the majority of computer users are also using Windows.
> I haven't needed any form of active virus scanning in something like 15 years
Microsoft Defender antivirus was released alongside Windows 8 in 2012. And it's essentially a rewrite of Microsoft Security Essentials which came included starting with Vista. If you haven't been explicitly disabling it, which your comment sounds like, you've been running one without knowing it for 16 years
Not quite.
Windows Defender was released together with Windows Vista, this was very rudimentary and only handled malware and spyware not unlike Malwarebytes, it did not handle viruses.
Microsoft Security Essentials was released standalone sometime during Windows 7's era, this was fully fledged anti-virus.
Microsoft Security Essentials was renamed Microsoft Defender and bundled with Windows starting from Windows 8, where it has stayed to this day.
The problem is that this also includes most people who think they know what they’re doing. We’re in the middle of a big change in how general purpose computers work and it’s basically driven by accepting that people make mistakes, trusted sites or things like their URL shorteners or social media are compromised periodically, etc. Maybe you’re really good at never visiting dodgy websites, always use an ad blocker, etc. … but have you never installed the wrong Python, NPM, etc. package by mistake?
Short term, something like Defender makes sense for most devices used for web or email. Longer term, I think we need more focus on sandboxing, hardware MFA, etc. so we aren’t using systems so brittle that everything just falls apart if you make a mistake. I don’t want the entire world to be iOS but the status quo sucked more.
Well, during Windows XP days if you connect to a LAN with compromised devices (in some countries it was popular to just hook up the entire neighborhood to a series of switches or poorly managed office network) before you install every single update possible - too late, your machine is part of the botnet.
Also, some environments require antivirus running for certification even if the machine in question is a linux server with read-only volumes.
Originally it was a lot less hostile, over the years now itself became the villain it tried to fight.
I am not sure what the at-scale energy use reduction of this bug fix will be, but...
If I had a pile of money I would consider creating a special bug bounty style program for energy use reduction.
This might be a very efficient way to reduce carbon output from personal and data center computing.
The staff at a metal-recycling company we were installing at, started complaining that the furnace would stop optimizing overnight. We investigated.
The controller computer would go into power-save mode, which suspended our control app. So the furnace would just sit there wasting power and burning up electrodes.
I calculated that during that week our furnace site wasted more power than all the power saved in America that year with power-save mode.
It would literally have been better if they'd never invented power save mode.
So be careful how much fiddling around we do. The law of unintended consequences will bite you in the butt every time.
Only if you considered the purpose of power-saving mode to reduce total energy usage, vs to reduce amount of power (and consequent wear & tear) an individual machine uses. However that MS would release a feature like that which automatically kicks in on upgrade without any sort of consideration of what the machine was used for - it could be running life-support systems! - seems an issue. But I'd also expect a fair bit more diligence on behalf of engineers responsible for monitoring and maintaining systems that need 24x7 uptime.
The issue I was originally investigating was SQL timeouts; turned out the virtual servers were putting their virtual nics to sleep.
Also known as: If it ain't broke, don't fix it.
This can be a dangerous objective. There are already changes going into Windows 10+ regarding the OS scheduler [0]. Windows 11 is also noted as having an even more aggressive policy. How much longer before old games stop working correctly and we have to have MS-signed binaries to get 1ms timer resolution?
Obviously, we don't want to poll aggressively whenever we can avoid it, but there are also a lot of practical UX & technological reasons to have this capability.
[0]: https://learn.microsoft.com/en-us/windows/win32/api/timeapi/...
Particularly when windows update kicks on the CPU's go to 100%, the thing overheats, and generally is absolutely unusable as it downloads and scans/etc the update its preparing. The devices go from usable but slow, to put it down for a couple hours cause you won't get anything done levels of usability.
Disabling windows defender for the 24 hours (or whatever it takes) before windows decides to turn it back on, is the single largest performance hack I've found to make those devices run reasonably. Guess this "bug" just reinforces that fact.
Maybe someone should donate a few to MS's windows engineering teams so they can enjoy the monster they have created running on the low end hardware that is still being sold.
If you disable it and leave the security window, it automatically turns on again. It's bullshit.
I wonder how much overhead in modern OS/PC user experience comes from security/stability abstractions and tools.
Modern software is much more reliable than the software from that era, people nowadays complain when a button isn't working - back then a button could randomly freeze my entire PC.
muscle memory prevents me from being able to type a semicolon without cmd-s being the very next keys typed.
I purchased a license of a proper antivirus software to avoid that bug and the performance issues gone away.
When you install another AV software, Windows Defender steps down and leaves scanning to the 3rd-party security solution. I selected one of the most lightweight ones I could find. It has been a net win for me.
One shouldn't need to do this, but it has worked so far, for years now.
Which is that? For years (and come to think of it, this goes back to the 2000's or even 90's), AV / antimalware software comes across as scareware, using tricks to ensure you're afraid of not having it.
And second, who here has ever had a virus in the past ten years?
I purchased a license of ESET Internet Security, and full disclosure: back in early 2017, I worked at an ESET-licensed reseller as a Presales and Support Engineer, so I know how to fine-tune it and all the ins and outs.
By nature, it's very lightweight (330 Mb RAM footprint), but you can fine-tune it even more if you want.
> And second, who here has ever had a virus in the past ten years?
We the people at HN are tech-savvy and of course will not get infected, but recently I spotted malware out-in-the-wild via Facebook Ads[0].
Your usual grandma/grandpa using the computer to connect with loved ones and play Candy Crush Saga will get infected, if they are not by now.
Some people tell me: "bUt tHaT'S BeCaUsE ThEy aRe vIsItInG WeIrD SiTeS," well, even if you stick to the common social media sites and usual news sites, you will get infected.
I cannot emphasize this enough, but you're responsible of your own computer so I will not proselytize you into purchasing AV software.
--
[0]: https://twitter.com/IvanMontillaM/status/1604308301579051009
https://www.av-comparatives.org/tests/performance-test-octob...
https://www.av-test.org/en/antivirus/home-windows/windows-10... (less useful..)
AV comparatives has some other tests also that might be of interest to HNers:
https://www.av-comparatives.org/tests/uninstallation-test-20...
https://www.av-comparatives.org/tests/false-alarm-test-septe... (reason why you might not want to pick the fastest product..)
I can't actually remember the last time any anti-malware software (built-in or otherwise) actually detected anything like a traditional virus, but there are plenty of computer users who are rather more trusting of links (including ones that download executables) in emails and the like. I don't doubt if I used a machine with all protection turned off and with the level of caution of a typical non-technical user it'd be hit with malware sooner or later. Most likely a browser plugin capable of reading passwords as I type them etc.
Sophos does this on my work laptop with depressing regularity. At this point I just go grab coffee when the fans max out, cause I know the disk is similarly pegged and it'll be about as snappy as a bogged down Windows 98 machine until it finishes.
It eats up a lot of CPU. It doesn’t seem like much help in a default update enabled system where you are using a regular user account instead of an administrator account.
In addition, anti-virus and real time scanning is itself potential surface area for an exploit (for example a few years back there was an exploit based on Norton antivirus email scanner).
It uses next to no system resources (issues like this aside), it integrates perfectly with Windows (it comes from Microsoft, after all), it's reasonably effective (to the chagrin of AV vendors the world over), and it isn't intrusive.
For me, no.
I grew up in the era of internet wild-west and I understand why some of us still feel the need to operate with multiple levels of (perceived) safety even today.
That said, I think most of it is really foolish crap now. The sorts of exploits that are out in the wild that you should actually worry about will go right through defender like a modern bunker buster.
It's really upsetting to me when you think about how much performance/energy/UX latency/frustration/et. al. is being spent in hopes of achieving a minor incremental improvement in security. Windows defender == TSA for your PC.
If you know to not download & run executable files from sketchy websites, you are basically already at the limits of what defender is effectively achieving on your local machine.
If you have a Pro version of Windows there is a group policy setting for it. [1]
If you have Home, you can achieve the same effect by manually tweaking the registry. [2]
--
[1] Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Real-time Protection
[2] HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\"DisableRealtimeMonitoring"=dword:00000001
I had two different IT mandated apps taking up a total of 3.5 complete CPU cores for a week before I undocked and noticed the fast battery drain. On an M1 no fan blast to alert me. It's a terrible terrible state of affairs.
If you don't believe me, try XFCE on Linux. You will see how fast your computer truly is.
Complete removal of windows defender on retail OS is feasible if you can figure out how to elevate a prompt to trusted installer. Alternatively, if you run Windows Server, you can use Remove-WindowsFeature to get it gone for good.
I have a script that accomplishes this, but I hesitate to share it because I don't want some asshole at Microsoft to patch it.
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BUNCH-OF-NUMBERS}