Windows Defender still running with 'Use Windows Security Center' enabled in Policy
Article ID: 291433
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
After either 1) upgrading Sensor or 2) upgrading OS, Windows Security Center (WSC) shows both Endpoint Standard and Defender as running, with Carbon Black Cloud Policy has "Use Windows Security Center" enabled.
Environment
- Carbon Black Endpoint Standard Sensor: v2.1.0.11 and Higher
- Microsoft Windows: Windows Vista and Higher
Cause
Group Policy has the ability to disable anyone from stopping Defender through WSC integration when set to DISABLED
Location of Setting: Computer Configuration-> Administrative Templates-> Windows Components-> Microsoft Defender Antivirus-> Turn off Microsoft Defender Antivirus
Resolution
To allow WSC integration to disable Windows Defender
To keep Windows Defender and Endpoint Standard running together
- Edit Group Policy so that Computer Configuration-> Administrative Templates-> Windows Components-> Microsoft Defender Antivirus-> Turn off Microsoft Defender Antivirus is set to Enabled or Not Configured
To keep Windows Defender and Endpoint Standard running together
- Add Permissions rules or Exclusions for both Defender and Endpoint Standard so they are not scanning one another to improve performance
Additional Information
- If the desire is to keep Windows Defender and Endpoint Standard (or any other AV) running on the same endpoint at the same time, it is recommended to have exclusions in each product for the other, to prevent the two from interfering with one another
- Keeping both security products active but without adding exclusions has a performance impact as each one is scanning the behavior of the other while it is also scanning
Feedback
Yes
No
Powered by
