Hi, we have the same problem.We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.Defender was activated due to a MS patch from January.We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.There is no Solution at the moment.If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.
You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.Also you can set the Defender in GPO to passive.
Thanks Julia for the reply. I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine. Event ID 15 in the Application log is pretty telling. Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:
Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.
Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.
After the update, Defender is starting first, then staying in the "ON" state. Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved: CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability
I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.
I'm going to work around the issue through Group Policy and wait for them to figure it out.
Seriously, thanks for the response.
Thanks Jon for the reply. Sounds a little suspicious that in all the years since we upgraded from 12.x (we've been a SEP shop for a really long time) and that Defender has been part of the OS, it hasn't ever turned itself on until this past month? Clearly something has changed (probably via a Windows Update) that altered that behavior.
We've already worked around the issue with a group policy, but it may be something you guys want to look into. I had a ticket on this, but it didn't really go anywhere and has been archived.
Original Message:Sent: 02-18-2021 01:34 AMFrom: Julia GrebeSubject: SEP not disabling Windows Defender
Original Message:Sent: 02-17-2021 06:44 PMFrom: Unknown UserSubject: SEP not disabling Windows DefenderIn the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running. Feels a little like an update (not sure which side) is preventing SEP to disable Defender. Pretty sure badness can happen if two real-time scan engines are running on the same machine. We're on SEP 14.3 (14.3.558.0000). Just me?