I'm not sure how you can possibly qualify VirtualProtect as "an expensive platform feature". Looking at the operation that VirtualProtect actually has to perform, from first principals, it should be one of the cheapest syscalls in the entire kernel.
The bug was that ETW (in the antivirus process) was doing something braindead; zeroing a megabyte of memory unnecessarily every time someone called it just to get the size of a buffer.
I'd love if you'd elaborate on this. I know very little about what VirtualProtect actually does under the hood but, in theory, it should just have to flip a couple bits in the address space mapping which says what the protection level is.
You are assuming things you are unsure about :) Even if your assumption was correct things could change from one Windows update to another.
When I worked on a time sensitive java project, our test suite had benchmarks for JDK functions as simple as Arrays.copy() to make sure we are the first to notice if something changed under the hood.
There's nothing about the bug that had anything to do with malware protection, or branch prediction, so I'm not sure how that statement applies to the conversation.
The bug was in ETW, which just happened to surface in a windows utility that ostensibly protects you from malware.
The bug was that ETW (in the antivirus process) was doing something braindead; zeroing a megabyte of memory unnecessarily every time someone called it just to get the size of a buffer.