With Windows 8 Microsoft changed Windows Defender Antivirus such that we should not attempt to disable Windows Defender Antivirus as it now detects when another Antimalware product is installed and will disable itself.
Though it looks like on Windows Server releases, Microsoft does not do that. See
Hope this information helps.
Let me know if you have any other questions.
Original Message:
Sent: 02-24-2021 09:19 AM
From: DARREL MALTBY
Subject: SEP not disabling Windows Defender
Just a thought, since Group Policy could disable Defender on a system that doesn't have SEP, for whatever reason, in an environment... could the Host Integrity policy be used to disable Windows Defender Antivirus, through a registry setting, perhaps? I haven't looked up if this is possible, but I admit we're seeing a similar issue in our environment and I'm thankful for this thread to help connect some dots. SEP and Defender interaction has never really been clear to me, and I've managed a SEP environment for 13 years!
Original Message:
Sent: 02-23-2021 09:46 AM
From: Jon Kaufman
Subject: SEP not disabling Windows Defender
Hi Julia,
Thank you for the clarification. You will need to Disable Windows defender Antivirus from the Group policy as this ensures it does not run.
Let me know if you have any questions.
------------------------------
Jon Kaufman
Strategic Support Engineer
Broadcom
Original Message:
Sent: 02-23-2021 01:17 AM
From: Julia Grebe
Subject: SEP not disabling Windows Defender
Hi Jon,
I have seen the new possibility about the coexistence of SEP-Client and Windows Defender, but for us it´s not useful.
We need to have a full qualfied report about all Risks in all our environments every month for our Customers and the SEP-Client runs AFTER Windows Defender. So it may happen, that Defender quarantine a Risk, that SEP will never no. The Defender has no central reporting, but complete reporting on all risks is an important part of our evaluations and risk assessment process.
I may be wrong but I think we are not be the only ones who want to see all risks on the endpoints.
Original Message:
Sent: 02-22-2021 02:31 PM
From: Jon Kaufman
Subject: SEP not disabling Windows Defender
Hello Matt and Julia,
The SEP client does not Disable Windows Defender and has not done so since version 12.1.6 due to changes that Microsoft made for Windows Defender.
In addition, As of or latest release 14.3 RU 1 Windows Defender AV can now run along side SEP. See the following for more information.
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/virus-and-spyware-protection-dialog/miscellaneous-v45100362-d49e11152.html
Let me know if you have any questions.
------------------------------
Jon Kaufman
Strategic Support Engineer
Broadcom
Original Message:
Sent: 02-18-2021 06:04 PM
From: Unknown User
Subject: SEP not disabling Windows Defender
Thanks Julia for the reply. I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine. Event ID 15 in the Application log is pretty telling. Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:
Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.
Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.
After the update, Defender is starting first, then staying in the "ON" state. Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved: CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability
I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.
I'm going to work around the issue through Group Policy and wait for them to figure it out.
Seriously, thanks for the response.
Original Message:
Sent: 02-18-2021 01:34 AM
From: Julia Grebe
Subject: SEP not disabling Windows Defender
Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.
We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.
There is no Solution at the moment.
If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.
You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.
Original Message:
Sent: 02-17-2021 06:44 PM
From: Unknown User
Subject: SEP not disabling Windows Defender
In the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running. Feels a little like an update (not sure which side) is preventing SEP to disable Defender. Pretty sure badness can happen if two real-time scan engines are running on the same machine. We're on SEP 14.3 (14.3.558.0000). Just me?