Endpoint Protection

Expand all | Collapse all

SEP not disabling Windows Defender

  • 1.  SEP not disabling Windows Defender

    Posted 7 days ago
    In the past week or so, I've noticed that our Windows 10 machines all of the sudden have Windows Defender running.  Feels a little like an update (not sure which side) is preventing SEP to disable Defender.  Pretty sure badness can happen if two real-time scan engines are running on the same machine.  We're on SEP 14.3 (14.3.558.0000).   Just me?


  • 2.  RE: SEP not disabling Windows Defender

    Posted 6 days ago

            ​Hi, we have the same problem.
    We opend a case to Microsoft. They respond that not SEP-Client disables Defender but the Defender detects that another antivirus software is installed.
    Defender was activated due to a MS patch from January.

    We can see Tamper Protection Logs (Application Control) where the Defender tries to access areas of SEP-Client.

    There is no Solution at the moment.

    If there is a possibility to deactivate Defender with SEP-Policy I didn`t know.

    You can look at the Defender on the Client to be ensure that the Defender is without Definitions, so a scan from Defender is witout consequences.
    Also you can set the Defender in GPO to passive.




  • 3.  RE: SEP not disabling Windows Defender

    Posted 6 days ago

    Thanks Julia for the reply.  I think you are spot on that the January updates changed "something" in the Microsoft Malware Protection Engine.  Event ID 15 in the Application log is pretty telling.  Up until the January updates, SEP would start first, then Defender would try to start and throw these two events within a second of each other:

    Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.

    Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.

    After the update, Defender is starting first, then staying in the "ON" state.  Microsoft isn't revealing too much about what changes they made (on purpose of course so the bad guys don't figure it out), but some change related to this CVE is *I think* involved:  CVE-2021-1647 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability

    I have a ticket open, but they are wanting me to jump through a bunch of hoops, and I haven't had power or heat for three days (live in South/Central Texas), so....no.   

    I'm going to work around the issue through Group Policy and wait for them to figure it out.

    Seriously, thanks for the response.




  • 4.  RE: SEP not disabling Windows Defender

    Broadcom Employee
    Posted 2 days ago
    Hello Matt and Julia,

    The SEP client does not Disable Windows Defender and has not done so since version 12.1.6 due to changes that Microsoft made for Windows Defender.
    In addition, As of or latest release 14.3 RU 1 Windows Defender AV can now run along side SEP. See the following for more information.
    https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/virus-and-spyware-protection-dialog/miscellaneous-v45100362-d49e11152.html

    Let me know if you have any questions.

    ------------------------------
    Jon Kaufman
    Strategic Support Engineer
    Broadcom
    ------------------------------



  • 5.  RE: SEP not disabling Windows Defender

    Posted 2 days ago

    Thanks Jon for the reply.  Sounds a little suspicious that in all the years since we upgraded from 12.x (we've been a SEP shop for a really long time) and that Defender has been part of the OS, it hasn't ever turned itself on until this past month?  Clearly something has changed (probably via a Windows Update) that altered that behavior.

    We've already worked around the issue with a group policy, but it may be something you guys want to look into.  I had a ticket on this, but it didn't really go anywhere and has been archived.  

    Thanks again.




  • 6.  RE: SEP not disabling Windows Defender

    Posted 2 days ago
    Edited by Julia 2 days ago
    Hi Jon,
    I have seen the new possibility about the coexistence of SEP-Client and Windows Defender, but for us it´s not useful.
    We need to ​have a full qualfied report about all Risks in all our environments every month for our Customers and the SEP-Client runs AFTER Windows Defender. So it may happen, that Defender quarantine a Risk, that SEP will never no. The Defender has no central reporting, but complete reporting on all risks is an important part of our evaluations and risk assessment process.
    I may be wrong but I think we are not be the only ones who want to see all risks on the endpoints.



  • 7.  RE: SEP not disabling Windows Defender

    Broadcom Employee
    Posted 2 days ago
    Hi Julia,

    Thank you for the clarification.  You will need to Disable Windows defender Antivirus from the Group policy as this ensures it does not run.

    Let me know if you have any questions.

    ------------------------------
    Jon Kaufman
    Strategic Support Engineer
    Broadcom
    ------------------------------



  • 8.  RE: SEP not disabling Windows Defender

    Posted yesterday
    Just a thought, since Group Policy could disable Defender on a system that doesn't have SEP, for whatever reason, in an environment... could the Host Integrity policy be used to disable Windows Defender Antivirus, through a registry setting, perhaps?  I haven't looked up if this is possible, but I admit we're seeing a similar issue in our environment and I'm thankful for this thread to help connect some dots.  SEP and Defender interaction has never really been clear to me, and I've managed a SEP environment for 13 years!


  • 9.  RE: SEP not disabling Windows Defender

    Broadcom Employee
    Posted 18 hours ago
    Hello Bobkat2000,
    With Windows 8 Microsoft changed Windows Defender Antivirus such that we should not attempt to disable Windows Defender Antivirus as it now detects when another Antimalware product is installed and will disable itself.

    Though it looks like on  Windows Server releases, Microsoft does not do that.  See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.

    The article does mention using a registry key ForceDefenderPassiveMode, so you could use Host Integrity to deteremine the OS release and add that registry key.

    Hope this information helps.

    Let me know if you have any other questions.

    Thanks




    ------------------------------
    Jon Kaufman
    Strategic Support Engineer
    Broadcom
    ------------------------------