I know IT people often aren't given the time to dig into this stuff, but xperf and event tracing should reveal the culprit fairly quickly.
The best resource for this kind of stuff is Bruce Dawson's blog:
I know IT people often aren't given the time to dig into this stuff, but xperf and event tracing should reveal the culprit fairly quickly.
The best resource for this kind of stuff is Bruce Dawson's blog:
I'm not IT, I'm' just the senior most engineer in a game studio. Ive got WPA captures that point to windows defender, even with processes and folders excluded. But I have literally no idea what to do with those traces, hence my 99% conviction.
If it is mostly your own tooling you may want to look at setting up a dev drive. It is supposed to be more optimized around workloads that would normally spin stuff like defender off the rails.
I need to write the blog post. I keep being told this, and it’s not the solution.
After a reboot, on an NVMe dev drive with no disk encryption, first launch of our internal application (unreal editor) takes 9 minutes on my workstation. If I disable windows defender before launching it, it takes 30 seconds. If I add all the processes as exclusions, and add the workspace folder as an exclusion to defender… 9 minutes.
edit:
I didn't mean to direct this at you. I mean that it's somehow gained traction as being the solution to slow filesystem access, but the reality is it's just broken.
If it's that bad, why not just disable it?
Enterprise versions are tamper-protected.
Can you not dual boot into something else and delete the executable?
Disk encryption is also mandated in most enterprises.
I do not mean to patronize, it's just the enterprise-y stuff has tried locking down the PCs for exactly this reason - deleting the security tools when they're not loaded would be of course very effective.
On top of that, showing such motivation can expose people to violating the 782 commandments of whatever corporate IT policy someone had to sign to get a paycheck.
Rare is the security vs usability compromise in these companies that accounts for the need for high performance desktops, sadly.
I replied above but basically we still need something; some people are just incapable of not making a total mess and they will literally go to Trojan.com and install dangerous.msi, ignore all the optional dismissible pop ups that say this is bad, and then still drop me a DM that the cracked plugin they got for maya to try out before asking to spend $8 isn’t working…
If there’s a middle ground I’d love to hear it!
Couldn't you disable on a per-user basis? Everyone shouldn't be punished just because a few people can't be careful with their stuff.
The person mentioned is a special case but the reality is that most people do need _something_. What happens if one trusted person makes a mistake and submits an exe to perforce? Now absolutely everyone is hosed.
Why would everyone be hosed just because a binary got committed to version control? Either way, surely you can set up some policies or monitoring for that sort of thing.
I don't know, I've been developing on Windows for decades without an antivirus and I've never had these issues. Are your people downloading and installing random software all the time? In my experience, once I'm set up with my usual tools I rarely need to install anything else.
Eugh. Well, whatever. Not like it makes any difference to the employee. They get paid whether they're waiting for the computer to finish spinning or doing useful work.
We’re spending $4-8000 on these machines to try and offset these problems.
The problem is that there’s 100 of these “little” issues - and I have a full time job that _isnt_ doing IT support. If someone can help me find an IT support contractor that I can hire that will fix it I’d love to chat to them, but it goes in the pile alongside “why on earth does teams take longer to boot than my entire machine” and “why are we using zoom (because the person who makes the decision there prefers zoom to teams”)
I am the enterprise here. We enforce it on because the alternative is worse.
Because the alternative is worse - no protection. Because we have everything in Intune we get the per device scan reports (I lied - we do enforce _some_ stuff as a group policy. We disable turning off certain features and we manage the windows update cadence) and thrrr have been multiple people who still need it… it’s generally non tech people who just download the absolute worst crap imaginable and ignore all the bypassable warnings too.