How To Run the Sensor and Windows Defender Concurrently
search cancel

How To Run the Sensor and Windows Defender Concurrently

book

Article ID: 291824

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to run Microsoft Defender alongside the Carbon Black Cloud Sensor.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

There are two possible configurations that can be used to run both platforms at the same time.

  • Deregister the Carbon Black Cloud with Windows Security Center and allow the OS to manage Defender via Group Policy
    1. Configure Windows Defender to exclude Sensor directories and files.
    2. Set the Group Policy Setting detailed in this article to Not Configured.
    3. From the Console, navigate to Enforce > Policies > [Policy Name] > Sensor.
    4. Disable the Use Windows Security Center setting.
  • Register Carbon Black Cloud in Windows Security Center and force the OS to run Defender via Group Policy
    1. Configure Windows Defender to exclude Sensor directories and files.
    2. Set the Group Policy Setting detailed in this article to Disabled.
    3. From the Console, navigate to Enforce > Policies > [Policy Name] > Sensor.
    4. Enable the Use Windows Security Center setting.

Note: If licensed for Endpoint Standard, permissions for Windows Defender should be added to any Policies where machines are running the Sensor and Defender concurrently.

Additional Information

  • The Use Windows Security Center setting will register the Carbon Black Cloud Sensor with Windows as the system's antivirus, which may cause the OS to disable Defender, depending on the configuration of the "Turn off Microsoft Defender Antivirus" Group Policy setting.
  • Disablement of the "Use Windows Security Center" setting does not impact Sensor monitoring, protection, or Policy enforcement.
  • If the Windows Security Center service (wscsvc) is stopped or not installed, the Sensor cannot register in WSC and the Sensor integration service (CbDefenseWSC) will not run, though this does not impact Sensor functionality outside WSC integration.
  • Windows Security Center is not installed by default in server-class operating systems.
  • Sensor folder and file exclusions can be configured in Windows Defender using one of the methods outlined in Microsoft's documentation.
Powered by Wolken Software