I have observed a problems with Windows Antimalware Service Executable using high CPU when two processes on my computer are communicating over TCP. If I disable realtime scanning in defender the problem goes away. However, disabling this comes with a warning saying it will only be disabled for a short while, but it doesn't say how long that means. The other alternative is to disable Windows defender completely but I would rather not suggest our corporate customers do that.
Is there anyway to whitelist my application to be completely ignored by defender, or can I provide defender more info to help it? If I cannot do that, can I tell defender to use all CPUs.
Background: We are running an Excel addin (XLL) which is a dll that extends Excel. In the code this opens 8 parallel network connections to a server via TCP. In my test case the server and Excel are on the same machine, but for customers they are seperate. Both Excel and our server have firewall rules to permit all network traffic. I have also tried adding them as exclusions in defender. All code is digitally signed, and has been in production use for several years.
Impact: With realtime scanning active, the Antimalware process sits at around 20% CPU and everything else is broadly idle. The calculation time for the spreadsheet is around 2 minutes.
If I disable realtime scanning, then antimalware uses 0% cpu, and Excel and our server together go to 100% CPU on all cores. The total calc time is about 10 seconds.
I'm not really sure what Antimalware is doing here, and it certainly isn't keeping up with the load being offered (not using 100% of all cores) The sockets are opened to 127.0.0.1 port 8xxx. The data being sent/received is binary, not HTTP. For my test, we are probably only sending and receiving 200Kb in total. Windows 10. i7 CPU. non virtual.
I hope I am asking in the right place - this doesnt really fit Stackoverflow.
