Endpoint Protection

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

I'm going to work around the issue through Group Policy and wait for them to figure it out.

Seriously, thanks for the response.

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

I'm going to work around the issue through Group Policy and wait for them to figure it out.

Seriously, thanks for the response.

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

I'm going to work around the issue through Group Policy and wait for them to figure it out.

Seriously, thanks for the response.

Original Message:
Sent: 02-18-2021 01:34 AM
From: Julia Grebe
Subject: SEP not disabling Windows Defender

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Original Message:
Sent: 02-17-2021 06:44 PM
From: Unknown User
Subject: SEP not disabling Windows Defender

In the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running.  Feels a little like an update (not sure which side) is preventing SEP to disable Defender.  Pretty sure badness can happen if two real-time scan engines are running on the same machine.  We're on SEP 14.3 (14.3.558.0000).   Just me?

Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

I'm going to work around the issue through Group Policy and wait for them to figure it out.

Seriously, thanks for the response.

Original Message:
Sent: 02-18-2021 01:34 AM
From: Julia Grebe
Subject: SEP not disabling Windows Defender

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Original Message:
Sent: 02-17-2021 06:44 PM
From: Unknown User
Subject: SEP not disabling Windows Defender

In the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running.  Feels a little like an update (not sure which side) is preventing SEP to disable Defender.  Pretty sure badness can happen if two real-time scan engines are running on the same machine.  We're on SEP 14.3 (14.3.558.0000).   Just me?

Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

I'm going to work around the issue through Group Policy and wait for them to figure it out.

Seriously, thanks for the response.

Original Message:
Sent: 02-18-2021 01:34 AM
From: Julia Grebe
Subject: SEP not disabling Windows Defender

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Original Message:
Sent: 02-17-2021 06:44 PM
From: Unknown User
Subject: SEP not disabling Windows Defender

In the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running.  Feels a little like an update (not sure which side) is preventing SEP to disable Defender.  Pretty sure badness can happen if two real-time scan engines are running on the same machine.  We're on SEP 14.3 (14.3.558.0000).   Just me?

Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

I'm going to work around the issue through Group Policy and wait for them to figure it out.

Seriously, thanks for the response.

Original Message:
Sent: 02-18-2021 01:34 AM
From: Julia Grebe
Subject: SEP not disabling Windows Defender

        ​Hi, we have the same problem.
We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
Defender was activated due to a MS patch from January.

We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

There is no Solution at the moment.

If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
Also you can set the Defender in GPO to passive.

Original Message:
Sent: 02-17-2021 06:44 PM
From: Unknown User
Subject: SEP not disabling Windows Defender

In the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running.  Feels a little like an update (not sure which side) is preventing SEP to disable Defender.  Pretty sure badness can happen if two real-time scan engines are running on the same machine.  We're on SEP 14.3 (14.3.558.0000).   Just me?