[Vm-dev] PSA | Slow .changes access | Real-time protection in Windows Defender

Marcel Taeumel marcel.taeumel at hpi.de
Thu Dec 2 13:30:48 UTC 2021


Oh, this do-it seems to be enough to trigger the Windows Defender:

'</a>' size

Best,
Marcel
Am 02.12.2021 14:08:31 schrieb Marcel Taeumel <marcel.taeumel at hpi.de>:
Hi all --

Provided that you have a .changes file that is bigger than a couple of bytes (here: ~200 MiB), you might experience a serious lag (here: ~5 seconds) when:

- Starting the .image
- Evaluating some do-its (or print-its)
- Saving a method

All operations that typically read from or write to the .changes file.

The Windows Defender's "real-time protection service" seems to monitor file access. Whatever triggers it, the defender might try to get exclusive read access to a file. Then it scans the last bytes and if it finds something strange, it will continue, eventually scanning THE ENTIRE FILE!

So, what is "something strange"? Well, try to evaluate this:

'<a href="https://www.microsoft.com"></a>' size.

Now, depending on the size of your .changes file, the Windows Defender will begin to scan the entire file for more such patterns. Note that the Defender will never complain or blacklist that file. It is just curious for the moment.

Why is the Defender able to get exclusive read access on a do-it? Take a look at SmalltalkImage >> #forceChangesToDisk. There, you can see that we close and re-open the .changes file. That's exactly the time when the Windows Defender kicks in. Avoid closing that file, and you will not experience any lag.

Try to save a method with such contents. You will be able to observe the same amount of extra lag.

Why is regular read access during code browsing not affected? Because we already have the open file handle to the .changes and .sources files. The Defender seems to need exclusive read access. In my experience, this happened, for example, during VM/image startup.

(Note that this has nothing to do with the Defender sending stuff to Microsoft via Internet. I did all the tests offline. No Ethernet connection. No WiFi.)

***

What can we do about it? Different approaches work:

- Save a method (or do-it sth.) to add about 1000 bytes of uninteresting content to the .changes file; then everything is fast again
- Shrink your .changes file via #condenseChanges (and don't forget to save your image afterwards!!) to speed up the Defender's scan
- Disable the "real-time protection service" in the Windows settings (not recommended)
- Avoid strange content in your source code (or do-its)
- Do not close the file so often. #primFlush: is not affected.

Best,
Marcel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20211202/256b61a5/attachment.html>


More information about the Vm-dev mailing list