If you are running production load on an IIS server that is also running Windows Server 2016 and you are running Windows Defender/Endpoint Protection with Real-Time Protection enabled on this server; you may find that MsMpEng.exe (Windows Antimalware service) is taking a lot of CPU and causing IIS performance issues.
Fortunately the solution is relatively simple. After some trial and error, I was able to find that the Real-Time Protection setting: “Scan all downloaded files and enable exploit protection for Internet Explorer” was the culprit. Simply changing this setting to “No” immediately solved the problem.
I have found this setting does not appear to cause issues in Windows Server 2008 R2, 2012 or 2012 R2, only 2016. Also, in Server 2016, this setting is not exposed via the UI on the server and must be managed via System Center Configuration Manager (or manually edit the registry).
I did not notice an issue on IIS servers with low load (as Windows Defender could keep up), but once started having hundreds/thousands of connections to the IIS server, MsMpEng.exe (the Windows Antimalware service) would immediately peg CPU to 100%.