If you use Windows Server, default isolation of containers are « process« . The good news is you will have best CPU performance with this mode(no hyperV). You can also run container in isolation process on your dev Windows machine like this :
docker run --isolation=process -it YOUR_CONTAINER_NAMEThe bad news is everything you’ll do with files will be real time monitored by Windows Defender, And it will destroy the performances, specially when you read/write a lot of files (in CI/CD by exemple, getting packages like nuget or npm, building solution etc).
You will see 25 to 50% CPU Usage of MsMpEng.exe (aka Windows Defender) in Task manager. And you will look at your watch how it is slow to build/compile a project on a Windows Container.
If you try to see what files are involved with ProcMon.exe (after a call to dotnet restore), you will see that Path are not usual and point to VHD volume.
So, how to Disable Windows Defender Real Time Protection for my Windows Container in Isolation Process ?
First -wrong- Idea
I initially excluded process like « dotnet.exe » from Windows Defender. It seemed legit, but by doing this, it exposes the whole server on these process (and who knows maybe a malware cans upload a dotnet.exe on the server and execute it without any real time protection, huh !?).
Solution
Let’s exclude the VhdHardDisk* from Windows Defender, these volumes are supposed to not interact with the OS directly. By the way, you actually can’t do it with the Parameter UI (which requires a real folder), so let’s do it in PowerShell Admin
# Open Administrator Powershell
Add-MpPreference -ExclusionPath "\Device\VhdHardDisk*\"Enjoy the performances now, as fast as the host !