It seems like the HN submission form truncated the # from the end of the URL I linked to, which linked to the relevant comment. I'll try that here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c82
and
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BUNCH-OF-NUMBERS}
I am not sure what the at-scale energy use reduction of this bug fix will be, but...
If I had a pile of money I would consider creating a special bug bounty style program for energy use reduction.
This might be a very efficient way to reduce carbon output from personal and data center computing.
I wonder how many of the people who say "Firefox is significantly slower than chrome" are using windows... On my computer, Firefox IS slower than chrome but (with ad blockers enabled) by an insignificant amount. By still being "the last remaining mostly independent, maintained and reasonably popular browser" I'd prefer it to use over chrome even if it is a bit slower.
Of course, ms is no longer the "old micro$oft" but their history on how they handle competitor browsers makes one think how much interest they could have in investigating and fixing such a bug.
My takeaway is: prefer independent software as much as you can.
The staff at a metal-recycling company we were installing at, started complaining that the furnace would stop optimizing overnight. We investigated.
The controller computer would go into power-save mode, which suspended our control app. So the furnace would just sit there wasting power and burning up electrodes.
I calculated that during that week our furnace site wasted more power than all the power saved in America that year with power-save mode.
It would literally have been better if they'd never invented power save mode.
So be careful how much fiddling around we do. The law of unintended consequences will bite you in the butt every time.
Linux as she is written comes with no warranty of anything, it is much more “consumer grade” than those variants of windows.
I think even enterprise linux does not come with support for industrial applications.
(I say this as a huge proponent of Linux supremacy)
This usually doesn't matter, but you can immediately see it in any page that
A) has a massive DOM
or
B) uses complex regular expressions that eat up the engine
I purchased a license of a proper antivirus software to avoid that bug and the performance issues gone away.
When you install another AV software, Windows Defender steps down and leaves scanning to the 3rd-party security solution. I selected one of the most lightweight ones I could find. It has been a net win for me.
One shouldn't need to do this, but it has worked so far, for years now.
I think its a growing issue, as they mature/migrate their older code base, issues become less frequent.
I wonder how much overhead in modern OS/PC user experience comes from security/stability abstractions and tools.
Sophos does this on my work laptop with depressing regularity. At this point I just go grab coffee when the fans max out, cause I know the disk is similarly pegged and it'll be about as snappy as a bogged down Windows 98 machine until it finishes.
Just as an example, loading jslinux.org for me in Firefox is about twice as fast than in Chrome. That might be a special case of course, because it is a very special type of workload that probably is not common on other websites. But I would love to see concrete examples of the opposite.
Which is that? For years (and come to think of it, this goes back to the 2000's or even 90's), AV / antimalware software comes across as scareware, using tricks to ensure you're afraid of not having it.
And second, who here has ever had a virus in the past ten years?
Only if you considered the purpose of power-saving mode to reduce total energy usage, vs to reduce amount of power (and consequent wear & tear) an individual machine uses. However that MS would release a feature like that which automatically kicks in on upgrade without any sort of consideration of what the machine was used for - it could be running life-support systems! - seems an issue. But I'd also expect a fair bit more diligence on behalf of engineers responsible for monitoring and maintaining systems that need 24x7 uptime.
It eats up a lot of CPU. It doesn’t seem like much help in a default update enabled system where you are using a regular user account instead of an administrator account.
In addition, anti-virus and real time scanning is itself potential surface area for an exploit (for example a few years back there was an exploit based on Norton antivirus email scanner).
muscle memory prevents me from being able to type a semicolon without cmd-s being the very next keys typed.
i shudder at the thought that a critical piece of life-support anything would be running a windows based OS.
My impression is that its invention was for the sole purpose of eradicating the idea that Windows is insecure and prone to viruses, which explains why it can be overzealous and CPU hungry.
I would only enable it for family members who don't know what they are doing. For some reason, I haven't needed any form of active virus scanning in something like 15 years. If it turns out I've been infected this entire time, the criminals sure are taking their time stealing my money, etc.
I can't actually remember the last time any anti-malware software (built-in or otherwise) actually detected anything like a traditional virus, but there are plenty of computer users who are rather more trusting of links (including ones that download executables) in emails and the like. I don't doubt if I used a machine with all protection turned off and with the level of caution of a typical non-technical user it'd be hit with malware sooner or later. Most likely a browser plugin capable of reading passwords as I type them etc.
I purchased a license of ESET Internet Security, and full disclosure: back in early 2017, I worked at an ESET-licensed reseller as a Presales and Support Engineer, so I know how to fine-tune it and all the ins and outs.
By nature, it's very lightweight (330 Mb RAM footprint), but you can fine-tune it even more if you want.
> And second, who here has ever had a virus in the past ten years?
We the people at HN are tech-savvy and of course will not get infected, but recently I spotted malware out-in-the-wild via Facebook Ads[0].
Your usual grandma/grandpa using the computer to connect with loved ones and play Candy Crush Saga will get infected, if they are not by now.
Some people tell me: "bUt tHaT'S BeCaUsE ThEy aRe vIsItInG WeIrD SiTeS," well, even if you stick to the common social media sites and usual news sites, you will get infected.
I cannot emphasize this enough, but you're responsible of your own computer so I will not proselytize you into purchasing AV software.
--
[0]: https://twitter.com/IvanMontillaM/status/1604308301579051009
Firefox scored 89.5 ±1.7
Chromium scored 87.3 ±2.9
I guess that means Firefox did faster for those tests. I don't use Chrome or Chromium based browsers in general so I don't know how they compare in "feel".
I am on Linux.
Modern software is much more reliable than the software from that era, people nowadays complain when a button isn't working - back then a button could randomly freeze my entire PC.
A great example is Pytorch just recently had a supply chain attack, and installing the nightly version between December 25th and December 30th, 2022 - would result in your home directory getting uploaded including ssh keys.
Chrome also just had a 0 day 2022 - CVE-2022-3075
Pytorch supply chain attack via Triton 2022/2023 - https://www.bleepingcomputer.com/news/security/pytorch-discl...
EDIT: Also there's a misconception that linux somehow doesn't get viruses - however the Pytorch attack affected linux users. Making a virus for windows gives you far more targets then linux, which is why they're far more common.
> > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too.
> > So, you should also test them.
> It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.
Can we get edit on the title?
It feels like this is a straw man constructed to bash Firefox, rather than a real world scenario.
The issue I was originally investigating was SQL timeouts; turned out the virtual servers were putting their virtual nics to sleep.
It also has a bug(?) which makes method calls 100x slower in PowerShell 7:
I think this would describe the majority of computer users. And the majority of computer users are also using Windows.
> I haven't needed any form of active virus scanning in something like 15 years
Microsoft Defender antivirus was released alongside Windows 8 in 2012. And it's essentially a rewrite of Microsoft Security Essentials which came included starting with Vista. If you haven't been explicitly disabling it, which your comment sounds like, you've been running one without knowing it for 16 years
I may have some of the details wrong.
https://source.chromium.org/chromium/_/chromium/v8/v8.git/+/...
I love thinking about the impacts of tiny improvements at scale like this, might do some napkin math on it later and see if I can come up with something in the right order of magnitude.
Not quite.
Windows Defender was released together with Windows Vista, this was very rudimentary and only handled malware and spyware not unlike Malwarebytes, it did not handle viruses.
Microsoft Security Essentials was released standalone sometime during Windows 7's era, this was fully fledged anti-virus.
Microsoft Security Essentials was renamed Microsoft Defender and bundled with Windows starting from Windows 8, where it has stayed to this day.
https://www.av-comparatives.org/tests/performance-test-octob...
https://www.av-test.org/en/antivirus/home-windows/windows-10... (less useful..)
AV comparatives has some other tests also that might be of interest to HNers:
https://www.av-comparatives.org/tests/uninstallation-test-20...
https://www.av-comparatives.org/tests/false-alarm-test-septe... (reason why you might not want to pick the fastest product..)
Also known as: If it ain't broke, don't fix it.
I recall reading a study a few years back saying how it's safer to browse porn sites than it is to browse what most would call "common" sites such as retailers.
It uses next to no system resources (issues like this aside), it integrates perfectly with Windows (it comes from Microsoft, after all), it's reasonably effective (to the chagrin of AV vendors the world over), and it isn't intrusive.
On the other side, you install a very invasive av software, which runs as privileged user and intercepts everything thats happening on your system. They even make a great target for malware by themself. Just recently ClamAV had a bug in it's file scanner, which let to an rce: CVE-2023-20032
I had two different IT mandated apps taking up a total of 3.5 complete CPU cores for a week before I undocked and noticed the fast battery drain. On an M1 no fan blast to alert me. It's a terrible terrible state of affairs.
- require admin rights (which means that if they have vulnerabilities, it can take control of the entire machine, even if Firefox itself is sanboxed);
- monkey-patch the Firefox executable in memory, which works (when it does) as long as the version of the software tracks closely the version of Firefox, which may or may not be the case;
- ... and also decreases the memory-safety of Firefox, which makes it easier to pwn;
- ... and also makes the crash reports unreliable;
- install encryption certificates that are actually less trustworthy than Mozilla's, hence decreasing the security of https;
- block Firefox and add-on security updates, also decreasing security;
- install privileged add-ons, many of which are easy to exploit from any webpage;
- ...
Part of the work on Crash Scene Investigations was attempting to determine whether the crash was in Firefox or in code or in some bogus foreign code. Depressingly often, it was the latter.
In your case, it's entirely possible that malwarebytes was simply untested on Firefox.
And they're almost exclusively used in targeted attacks against valuable targets, because burning a 0-day to hack grandma's old laptop and steal her facebook password isn't a particularly good investment.
The version of Windows Defender that came with Vista was a bit different and included realtime scanning when executables were run.
At this point the only other antivirus I bother keeping an install of on my personal system is Malwarebytes free in case things really go tits up and I need to run it and rkill from safe mode.
Which is a lot better than I was expecting compared to Firefox/Chromium.
If you have a Pro version of Windows there is a group policy setting for it. [1]
If you have Home, you can achieve the same effect by manually tweaking the registry. [2]
--
[1] Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Real-time Protection
[2] HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\"DisableRealtimeMonitoring"=dword:00000001
The problem is that this also includes most people who think they know what they’re doing. We’re in the middle of a big change in how general purpose computers work and it’s basically driven by accepting that people make mistakes, trusted sites or things like their URL shorteners or social media are compromised periodically, etc. Maybe you’re really good at never visiting dodgy websites, always use an ad blocker, etc. … but have you never installed the wrong Python, NPM, etc. package by mistake?
Short term, something like Defender makes sense for most devices used for web or email. Longer term, I think we need more focus on sandboxing, hardware MFA, etc. so we aren’t using systems so brittle that everything just falls apart if you make a mistake. I don’t want the entire world to be iOS but the status quo sucked more.
From fan noise to none on youtube/twitch - chrome never made the fans spin.
I'm not so sure that running lights isn't a net positive, especially with the introduction of LED lights.
Correlation != causation. I started using PCs heavily in the mid 90s, and yes "Illegal Operations" were abound. However, the SDLC has also come a long way with testing, automated QA, etc. Back then there was a lot more "wild west" going on for both hardware and software. Generally, practices are much more mature by default nowadays.
Another example Chrome has rel=prerender support and some libraries use it to make loading pages faster. Safari and Firefox don't support it. But it's progressive enhancement so why not use it. Result is that Chrome seems faster. There are probably many ways to make things faster on the other side but nobody will bother.
README.md : "to get this to work, curl or wget the following script and run it as sudo"
Linux users: Aye
This one was a frustratingly common cause of crashes when I worked in gamedev. So many crashes would end up being some overlay or antivirus monkeying about with memory.
Don't ask me how I know it.
Meh, I see Ubuntu black screens in public appliances as well.
Life support systems don't run windows. And if you're running consumer windows on anything critical, you fucked up.
I'm happy this was found and its not clear if this is already patched, but hopefully it will somewhat improve performance on youtube or other sites like it going forward.
This can be a dangerous objective. There are already changes going into Windows 10+ regarding the OS scheduler [0]. Windows 11 is also noted as having an even more aggressive policy. How much longer before old games stop working correctly and we have to have MS-signed binaries to get 1ms timer resolution?
Obviously, we don't want to poll aggressively whenever we can avoid it, but there are also a lot of practical UX & technological reasons to have this capability.
[0]: https://learn.microsoft.com/en-us/windows/win32/api/timeapi/...
However, I had to disable some ff add-ons to get that score (chrome had no add-ons to begin with).
This has long been a leaky part of Windows security. If your malware can get its code running inside a highly privileged service or process, it can do more or less whatever it wants to the rest of the system. But even when not used for nefarious purposes, it is still an extremely dangerous capability in that it can be very easy to create problems .
Particularly when windows update kicks on the CPU's go to 100%, the thing overheats, and generally is absolutely unusable as it downloads and scans/etc the update its preparing. The devices go from usable but slow, to put it down for a couple hours cause you won't get anything done levels of usability.
Disabling windows defender for the 24 hours (or whatever it takes) before windows decides to turn it back on, is the single largest performance hack I've found to make those devices run reasonably. Guess this "bug" just reinforces that fact.
Maybe someone should donate a few to MS's windows engineering teams so they can enjoy the monster they have created running on the low end hardware that is still being sold.
Well, during Windows XP days if you connect to a LAN with compromised devices (in some countries it was popular to just hook up the entire neighborhood to a series of switches or poorly managed office network) before you install every single update possible - too late, your machine is part of the botnet.
Also, some environments require antivirus running for certification even if the machine in question is a linux server with read-only volumes.
Now that you raised it however, even if the system call used to be fast, Firefox is making an extremely high number of calls to that sytem call, and there's always going to be some overhead to that. There are almost certainly ways that Firefox could reduce the number of calls it needs to make.
https://learn.microsoft.com/en-us/windows/win32/procthread/p...
Installing software to the system should be handled by a package manager, but if you must install something like this, just throw it in a tmpfile and inspect the script before running it.
I know the response to this will be "but the things the script downloads and installs could be malicious", and while this is true, so long as the sources in the install script are fine, I consider this to be a separate issue (but still a big issue).
The issue of trusting source code or binaries is a thing but it doesn't justify copy pasta'ing random scripts in the shell.
Another thing to take note of, there in the past have been bugs in terminal emulators that allowed pasting certain characters that made the text look completely different than what it actually was, so pasting "ls $HOME" could have actually been "rm -rf ~/" for example.
I remember people debating using global variables back then - I haven't seen a team not using unit testing in years. Scaling code up to multiple contributors, standardizing abstractions, building for automated testing, etc. We've taken many tradeoffs in the direction of development scalability and stability/correctness at the expense of performance and simplicity.
I still see people praising visual basic form builder - I think those were the kids that started doing dev with that and we're impressed they can put dialogs on a screen. I think it would be extremely hart to find someone who maintained a nontrivial app with that code behind shit and thought it was a good idea.
...and DRM.
Unless you really mean megabits, 330MB for AV doesn't seem low as I've seen Windows Defender use roughly the same.
The original team that worked on this was awesome but a bunch of bad managers came over from Exchange and ruined it.
source: worked on this several years ago
Makes me wonder: Does windows Defender just double as another deliberate NSA backdoor?
The same is valid for Apple, Google, and every other US company.
If you don't believe me, try XFCE on Linux. You will see how fast your computer truly is.
Do you think Defender would have helped with that? I'm highly doubtful.
What would probably have, is if MS's implementation of protected folders, or whatever it's called, wouldn't have been completely brain-dead.
> EDIT: Also there's a misconception that linux somehow doesn't get viruses - however the Pytorch attack affected linux users. Making a virus for windows gives you far more targets then linux, which is why they're far more common.
That's correct. But at least on Linux, if you're so inclined, you can spend a couple of hours setting up some AppArmor or SELinux profiles to prevent random crap for accessing ~/.ssh and ~/top-secret.
but it does integrate with the system well since its from Microsoft.
Recent versions of Firefox allow you to block some stuff like that: https://support.mozilla.org/en-US/kb/identify-problems-third...
Though it's possible they use different code injection tricks to make blocking impossible. (You can't block Defender from listening to events for example)
Given that in many industries insurances and, in some cases like banking, the law requires companies to monitor HTTPS traffic of browsers for compliance, it might be better if browsers had a dedicated filter / monitor API.
Complete removal of windows defender on retail OS is feasible if you can figure out how to elevate a prompt to trusted installer. Alternatively, if you run Windows Server, you can use Remove-WindowsFeature to get it gone for good.
I have a script that accomplishes this, but I hesitate to share it because I don't want some asshole at Microsoft to patch it.
For me, no.
I grew up in the era of internet wild-west and I understand why some of us still feel the need to operate with multiple levels of (perceived) safety even today.
That said, I think most of it is really foolish crap now. The sorts of exploits that are out in the wild that you should actually worry about will go right through defender like a modern bunker buster.
It's really upsetting to me when you think about how much performance/energy/UX latency/frustration/et. al. is being spent in hopes of achieving a minor incremental improvement in security. Windows defender == TSA for your PC.
If you know to not download & run executable files from sketchy websites, you are basically already at the limits of what defender is effectively achieving on your local machine.
Whether this provides any meaningful security is questionable unless you pair it with filesystem isolation to prevent malicious programs from modifying config files / bashrc / etc. Meanwhile it does make legit uses of ptrace more annoying.
[0] https://www.kernel.org/doc/Documentation/security/Yama.txt
Send a bug report to a five-person software company, their lead dev contacts you the same day and has a patched version ready to go in a week. Send a bug report to Microsoft / Citrix / Apple / etc, and you'll never hear back.
Firefox itself is at 4-5% and the whole machine is at 14%
Normal Firefox was also fine last I used it.
A shockingly large number of crashes and performance issues in PC gaming are related to poorly behaved overlay programs and overclocking tools like RivaTuner, Overwolf, and the Discord Overlay. I'd well believe your points.
I have heard the most complaints from Mac and Linux users on HN and Reddit. Especially with Youtube...
Windows + Firefox is just fine in my experience. After the Quantum upgrade/version. Yes Chromium based Edge and Chrome is a bit faster, Opera and Vivaldi feel slower depending on the number of tabs.
Firefox and Edge handles many tabs the best from a performance perspective on Windows in my experience. Vivaldi is very close.
Anything without vertical tabs is impossible to use with many tabs.
If I were Google, I would spend billions on making chrome showing ads really fast.
This is what makes it so doable since you don't need any privilege escalation.
The reason why this is a big deal for a lot of people is your ssh keys will give you access to your git repos and other servers unless you have them password protected or use gpg/sk ssh keys which I think a lot of people don't do.
And of course if you can see the known hosts file/bash_history you'll likely have access to more servers to propagate to.
Also things like your browser cache is stored there.
If you disable it and leave the security window, it automatically turns on again. It's bullshit.
Just for fun I also ran it on a Windows 11 mini-PC Ryzen 9 6900HX 3.3 GHz with no addons and obtained:
Edge: 291
Firefox: 196
I do not have Chrome installed but I believe Edge may be some fork of Chrome?
This is why I store keys on a hardware key that requires me to touch it when used and manually start ssh-agent when doing a lot of `git push`.
Originally it was a lot less hostile, over the years now itself became the villain it tried to fight.