Windows Defender causes 10X+ slowdown

wscott · August 25, 2018, 12:40pm

So I have been playing with having a nightly backup job scheduled on my Windows 10 laptop using Task Scheduler. Now that Windows 10 includes SSH it is getting easier to do.

But I was surprised my backup of a 4GB directory was taking 2m30s to do a scan when nothing changed. Poking around with Task Manager I find that the Windows Defender malware scanner is running and taking up the time.

When I disable “Real-time protection” the time to run my null backup drops to like 10 seconds.

The only thing restic should be writing is the cache directory so I tried adding and execption for that directory, but it didn’t change anything. It appears the malware scanner is reading every file that restic considers for backup. At the end is a snippet of ProcMon when restic is executing.

Something about the way restic is opening the files is making the malware scanner think the file might have changed.

I was previously using duplicacy on my laptop and it manages to scan a directory without triggering a malware scan so I know it can be done.

Personally I would be happy just disabling Windows Default, but it automatically turns itself back on after a couple days which is a pain. I am hoping to have some friends and relatives use restic to backup to my server and am trying to create a easy to follow set of directions. Disabling Defender won’t work for that group. (They need all the help they can get.)

|8:26:13.6571587 AM|restic.exe|19500|QueryInformationVolume|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\oceanbottom.cfxb|SUCCESS|VolumeCreationTime: 3/29/2018 7:49:57 PM, VolumeSerialNumber: 64A4-D08C, SupportsObjects: True, VolumeLabel: |
|---|---|---|---|---|---|---|
|8:26:13.6571735 AM|restic.exe|19500|QueryAllInformationFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\oceanbottom.cfxb|BUFFER OVERFLOW|CreationTime: 3/29/2018 5:42:56 PM, LastAccessTime: 8/17/2008 3:52:07 AM, LastWriteTime: 8/17/2008 3:52:07 AM, ChangeTime: 3/29/2018 5:42:56 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 3,666, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x2000000029d01, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Long|
|8:26:13.6572729 AM|restic.exe|19500|CloseFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\oceanbottom.cfxb|SUCCESS||
|8:26:13.6577010 AM|restic.exe|19500|CreateFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS|Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened|
|8:26:13.6577299 AM|restic.exe|19500|QueryNetworkOpenInformationFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS|CreationTime: 3/29/2018 5:48:07 PM, LastAccessTime: 8/17/2008 3:52:07 AM, LastWriteTime: 8/17/2008 3:52:07 AM, ChangeTime: 3/29/2018 5:48:07 PM, AllocationSize: 4096, EndOfFile: 2591, FileAttributes: A|
|8:26:13.6577440 AM|restic.exe|19500|CloseFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS||
|8:26:13.6578808 AM|restic.exe|19500|CreateFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS|Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened|
|8:26:13.6579425 AM|restic.exe|19500|QueryEAFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS||
|8:26:13.6586086 AM|MsMpEng.exe|4808|CreateFileMapping|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|FILE LOCKED WITH ONLY READERS|SyncType: SyncTypeCreateSection, PageProtection: |PAGE_NOCACHE|
|8:26:13.6586252 AM|MsMpEng.exe|4808|QueryStandardInformationFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS|AllocationSize: 4,096, EndOfFile: 2,591, NumberOfLinks: 1, DeletePending: False, Directory: False|
|8:26:13.6616433 AM|MsMpEng.exe|4808|LockFile|C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-shm|SUCCESS|Exclusive: False, Offset: 124, Length: 1, Fail Immediately: True|
|8:26:13.6616683 AM|MsMpEng.exe|4808|UnlockFileSingle|C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-shm|SUCCESS|Offset: 124, Length: 1|
|8:26:13.6633975 AM|restic.exe|19500|QueryInformationVolume|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS|VolumeCreationTime: 3/29/2018 7:49:57 PM, VolumeSerialNumber: 64A4-D08C, SupportsObjects: True, VolumeLabel: |
|8:26:13.6634130 AM|restic.exe|19500|QueryAllInformationFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|BUFFER OVERFLOW|CreationTime: 3/29/2018 5:48:07 PM, LastAccessTime: 8/17/2008 3:52:07 AM, LastWriteTime: 8/17/2008 3:52:07 AM, ChangeTime: 3/29/2018 5:48:07 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 2,591, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x100000002d56c, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Long|
|8:26:13.6634709 AM|restic.exe|19500|CloseFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particles.cfxb|SUCCESS||
|8:26:13.6637604 AM|restic.exe|19500|CreateFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|SUCCESS|Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened|
|8:26:13.6637858 AM|restic.exe|19500|QueryNetworkOpenInformationFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|SUCCESS|CreationTime: 3/29/2018 5:47:42 PM, LastAccessTime: 8/17/2008 3:52:07 AM, LastWriteTime: 8/17/2008 3:52:07 AM, ChangeTime: 3/29/2018 5:47:42 PM, AllocationSize: 368, EndOfFile: 362, FileAttributes: A|
|8:26:13.6637970 AM|restic.exe|19500|CloseFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|SUCCESS||
|8:26:13.6639183 AM|restic.exe|19500|CreateFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|SUCCESS|Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened|
|8:26:13.6639695 AM|restic.exe|19500|QueryEAFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|SUCCESS||
|8:26:13.6645989 AM|MsMpEng.exe|4808|CreateFileMapping|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|FILE LOCKED WITH ONLY READERS|SyncType: SyncTypeCreateSection, PageProtection: |PAGE_NOCACHE|
|8:26:13.6646148 AM|MsMpEng.exe|4808|QueryStandardInformationFile|C:\Users\wscott\Documents\My Games\Crysis_WARHEAD\Shaders\Cache\particlesnomat.cfxb|SUCCESS|AllocationSize: 368, EndOfFile: 362, NumberOfLinks: 1, DeletePending: False, Directory: False|
|8:26:13.6668140 AM|MsMpEng.exe|4808|LockFile|C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-shm|SUCCESS|Exclusive: False, Offset: 124, Length: 1, Fail Immediately: True|
|8:26:13.6668401 AM|MsMpEng.exe|4808|UnlockFileSingle|C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-shm|SUCCESS|Offset: 124, Length: 1|

lukastribus · August 25, 2018, 6:46pm

Can you check again with latest restic and the --quiet parameter. This avoids some scanning and may contribute to windows defender going all crazy.

wscott · August 25, 2018, 10:23pm

This was recent build from the tip of github:

C:\Users\wscott>restic version
restic 0.9.2 (v0.9.2-42-gd708d607) compiled with go1.10.2 on windows/amd64

Adding -q removes all output but windows defender is still crazy.

antivirus

I may want to look into using VSS snapshots for backup. Unfortunately that makes my setup for backups on Windows a lot more complicated.

fd0 · August 26, 2018, 8:14am

Specifying -q only makes restic’s output less verbose, but it doesn’t change anything restic does. I don’t have any idea why the Defender thinks restic may be malware.

fd0 · August 26, 2018, 8:14am

This should not be the case (at least I can’t remember building anything like it), did you see this in the code somewhere? Specifying --quiet should only make restic’s output less vecberbose, nothing more.

lukastribus · August 26, 2018, 9:09am

I may have misinterpreted PR 1676:

wscott · August 26, 2018, 10:21am

I am being unclear. Windows Defender isn’t claiming restic is malware in any fashion and the backup works correctly. Windows Defender is just reading and scanning every file restic looks at when doing a backup. The trace from the original post is after the restic’s scan has completed and while restic is looking for files to included in the backup. None of those files were modified. It is as if Windows Defender thinks these files may have been modified by restic and it needs to check to make sure everything is OK.

If restic were opening all the files with Read/Write permissions to read them then the antivirus software would need to double check that they are still OK. That is why I used procmon, to make sure restic was only reading. It looked like that to me.

764287 · August 26, 2018, 12:13pm

Have you tried adding restic to Windows Defender’s exclusion list?

fd0 · August 26, 2018, 6:13pm

Ah, yeah, you’re right and this indeed used to change something. That code has been superseded by the new archiver code.

wscott · August 26, 2018, 9:47pm

I added the restic cache directory to the exclude list with no effect. I assume adding my Documents folder to the exclude list should remove this overhead since that is the directory I am trying to back up. But that is just a workaround.

Huh? The new code should be modifying the files that are being backed up? Are you trying to clear the Windows Archive Bit?

In my test restic is writing to a repository on another machine via SFTP so I assumed the only thing being modified on the local machine is the cache directory.

764287 · August 27, 2018, 7:18am

No, I meant adding restic.exe to the exclusion list.

lukastribus · August 27, 2018, 8:30am

@wscott What about release 0.8.3 with or without -q, that release uses the older archiver code, it would be interesting to see if the difference is there?

@fd0 I believe the point wscott is trying to make is that it looks like restic opens the files with read,write capabilities, while read capabilities should be enough?

fd0 · August 27, 2018, 8:47am

That’s not the case (and it should not be), we only open files to save read-only…

Not at all, I meant that the scan process could be suppressed with a flag, --quiet.

wscott · August 27, 2018, 10:38am

Weird. My first reaction was “that’s not how the exclude list works.”, but I figured I would try it just to say that it doesn’t work.

Then when I went to the settings I see it asks if you are adding a file, folder, file type, or process. Process? Sure enough, if you add restic.exe then Windows Defender will totally ignore whatever restic does and my backups are fast again. Thanks!

Well, I was saying that the virus scanner is “acting” like the files might have been modified but my cursory glance at the system call trace looked like restic was using all read-only operations. But I am a unix guy so I wasn’t sure.

So I guess I have a workaround that I can reasonably add to a set of instructions for setting up backups on a Windows machine.