Skip to content

March 29, 2017

4

High CPU on IIS Server 2016 from MsMpEng.exe

If you are running production load on an IIS server that is also running Windows Server 2016 and you are running Windows Defender/Endpoint Protection with Real-Time Protection enabled on this server; you may find that MsMpEng.exe (Windows Antimalware service) is taking a lot of CPU and causing IIS performance issues.

Fortunately the solution is relatively simple. After some trial and error, I was able to find that the Real-Time Protection setting: “Scan all downloaded files and enable exploit protection for Internet Explorer” was the culprit. Simply changing this setting to “No” immediately solved the problem.

I have found this setting does not appear to cause issues in Windows Server 2008 R2, 2012 or 2012 R2, only 2016. Also, in Server 2016, this setting is not exposed via the UI on the server and must be managed via System Center Configuration Manager (or manually edit the registry).

I did not notice an issue on IIS servers with low load (as Windows Defender could keep up), but once started having hundreds/thousands of connections to the IIS server, MsMpEng.exe (the Windows Antimalware service) would immediately peg CPU to 100%.

4 Comments Post a comment
  1. Christian
    May 8 2017

    Hi !

    I have the same problem as you described.
    Can you explain in detail where I can find the setting “Scan all downloaded files and enable exploit protection for Internet Explorer”?

    Reply
    • Brent
      Jun 19 2017

      Christian, sorry for the delay, just saw this comment. Open Configuration Manager console. go to Assets and Compliance, expand Endpoint Protection, go into Antimalware Policies, edit the policy that is applied to the servers in question. Once editing the policy, click the Real-Time Protection pane, and the forth option down should be” Scan all downloaded files and enable exploit protection for Internet Explorer” and set this to “No”. Hope this helps.

      Reply
      • Christian
        Jun 21 2017

        Thx for your reply.
        My server is not associated with a System Center Configuration Manger. How do I configure it directly on the server?

        Reply
        • Brent
          Jun 23 2017

          Hey, I believe I find the corresponding registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection. DWORD called DisableIOAVProtection with a value of 1 (1 turns it off, 0 is on)

          Reply

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments