Antimalware Service Executable

Antimalware Service Executable is the Microsoft Defender Antivirus real-time protection process (MsMpEng.exe). High or continuous CPU usage typically means Defender is actively scanning or doing extra work for protection.

Common reasons and what to adjust:

1. Scan after security intelligence updates

• By default, Defender runs a scan after each security intelligence (definition) update, which can cause frequent CPU spikes.
• To reduce this behavior via Group Policy or another management tool:
  • Go to Computer Configuration → Administrative Templates → Microsoft Defender Antivirus → Security Intelligence Updates.
  • Set Turn on scan after security intelligence update to Disabled.
• This lowers CPU usage but also reduces immediate post-update scanning, so it is a security vs. performance trade-off.

2. Conflicts with other security software

• If non-Microsoft security tools are installed (antivirus, EDR, DLP, VPN, etc.), Defender may spend extra CPU scanning their binaries and activity.
• Mitigation:
  • Add those products’ paths and processes to Microsoft Defender Antivirus exclusions.
  • Also ensure those products exclude Defender’s binaries as documented in Configure your network environment to ensure connectivity with Defender for Endpoint service.

3. Large files or redirected profiles

• Large files such as .iso, .vhd, .vhdx stored in user profile folders that are redirected to network locations (Offline Files/CSC, OneDrive, mapped drives, SMB shares) can cause long scans and high CPU because network I/O is slower.
• Mitigation:
  • Move large disk images and similar archives out of redirected profile folders (Desktop, Downloads, Documents, etc.) to a local, non-redirected folder.

4. Unsigned binaries

• Every time an unsigned .exe or .dll runs, Defender performs more intensive scanning, which can increase CPU usage.
• Mitigation options:
  • Sign internal binaries using an internal PKI and add the signing certificate to Indicators – Certificate - allow.
  • For third-party software, ask the vendor to sign binaries and follow Microsoft’s guidance to minimize false positives.
  • As a workaround, use Indicators – File hash - allow for specific safe binaries, or configure Antivirus exclusions (process + path) for trusted apps.

5. Complex file formats used as “databases”

• Using HTA, CHM, or similar complex formats as data stores can cause heavy scanning overhead.
• Mitigation:
  • Switch to proper database formats where possible.
  • As a workaround, add process/path exclusions for trusted workloads that use these files.

6. File hash computation

• If file hash computation is enabled (for Defender file indicators), copying or accessing large files—especially over VPN or network shares—adds CPU overhead.
• Mitigation:
  • Decide whether the extra security is required. To reduce CPU load, disable file hash computation:
    • Go to Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → MpEngine.
    • Adjust the file hash computation feature accordingly (note that Indicators – File hash require this feature enabled).

If CPU usage has recently increased, check for:

• Recent changes in other security tools.
• New large files or redirected folders.
• New or updated unsigned applications.
• Policy changes that enabled file hash computation or more aggressive scanning.

Any exclusions or feature reductions should be carefully evaluated, as they can lower protection. Apply them only to well-understood, trusted files, folders, or processes.

References:

• Troubleshoot performance issues related to real-time protection