tmuster2k 22 Posted February 12, 2020 Share Posted February 12, 2020 (edited) I did a clean install of latest ESET FILE SECURITY for Windows Server 2019 and notice it left the Windows Defender Cloud Delivered Protection still enabled and had to be manually turned off. Shouldn't EFS disable this like it does real time protection? Would it interfere with ESET CLOUD Protection? Also I noticed with EFS installed the "Windows Defender Antivirus Service" is still set to Running. Shouldn't this be disabled or set to Stopped after install and activation of EFS? Edited February 12, 2020 by tmuster2k Link to comment Share on other sites More sharing options...
tmuster2k 22 Posted February 14, 2020 Author Share Posted February 14, 2020 anyone? Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 14, 2020 Share Posted February 14, 2020 On 2/12/2020 at 3:39 PM, tmuster2k said: and notice it left the Windows Defender Cloud Delivered Protection still enabled and had to be manually turned off. I believe Windows Defender Cloud Delivered Protection refers to WD Advanced Threat Protection which is only standard on Enterprise versions. On Win Pro+ versions is it an optional extra cost subscription. If this is the case, check if Windows Defender AV is also enabled since WD ATP only works with WD anti-virus enabled. This ATP element might be why Eset didn't disable WD anti-virus. Link to comment Share on other sites More sharing options...
tmuster2k 22 Posted February 14, 2020 Author Share Posted February 14, 2020 17 hours ago, itman said: I believe Windows Defender Cloud Delivered Protection refers to WD Advanced Threat Protection which is only standard on Enterprise versions. On Win Pro+ versions is it an optional extra cost subscription. If this is the case, check if Windows Defender AV is also enabled since WD ATP only works with WD anti-virus enabled. This ATP element might be why Eset didn't disable WD anti-virus. Hello, Itman. So I did confirm in the "Security at a Glance" section that "Virus and Threat Protection" shows that "Real time Protection is turned off" which is fine because EFS is running and activated. However the Windows Defender Antivirus Service shows in "Services" as still running. Is this tied into anything else other than AV protection like the windows security center for reporting health of AV products running on this platform? In other words is it normal to have this service running when EFS is also running on the same system. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 14, 2020 Share Posted February 14, 2020 (edited) 2 hours ago, tmuster2k said: So I did confirm in the "Security at a Glance" section that "Virus and Threat Protection" shows that "Real time Protection is turned off" which is fine No, it is not fine. For Virus and Threat Protection, it should show "No action needed." Additionally when Virus and Threat Protection is opened, what is shown should be that per the below screen shot. I also am not familiar with EFS and it is possible that WD real-time runs concurrent with Eset's; but seriously doubt it : Another possibility is an issue with loading of Eset's ELAM driver on the server. In this case, the OS will automatic enable WD's real-time protection and run it concurrently with Eset's real-time protection. If this was the case, I would think that Security Center would show that WD was the real-time protection. Edited February 14, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 14, 2020 Share Posted February 14, 2020 (edited) I did come across the following in the EFS 7 User Manual: Quote If you are installing ESET File Security on Windows Server 2016, Microsoft recommends to uninstall Windows Defender Features and withdraw from Windows Defender ATP enrollment to prevent problems caused by having multiple antivirus products installed on a machine. https://download.eset.com/com/eset/apps/business/efs/windows/latest/eset_efsw_7_userguide_enu.pdf Again the reference to WD ATP. Perhaps the above also applies to Windows Server 2019? My best guess it does. Since Eset makes such a reference, it is assumed that it does not manage WD on Server 2016+ installations as done for endpoint installations. -EDIT- See later posting in this thread: https://forum.eset.com/topic/22535-windows-defender-cloud-protection-stays-enabled/?do=findComment&comment=109348 for correct way to disable WD ATP on Win Server 1803/2019 installations. This also implies that on Win Server 2016+ versions, there is not auto fallback to WD real-time protection in the event of an Eset real-time protection malfunction. Finally, I believe the above quoted MS recommendation is a bit bogus. Obviously, MS would not recommend you use anything other than the WD + WD ATP combo. So, I would say this is an Eset recommendation. Here's how you uninstall Win Defender on Win Server 2019: https://www.digitpage.com/remove-windows-defender-using-powershell-server-2019/ . Edited February 17, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 16, 2020 Most Valued Members Share Posted February 16, 2020 ESET is running fine with both 16 and 19 for me Defender is disabled(realtime) all else are defaults not changed. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 16, 2020 Administrators Share Posted February 16, 2020 On Windows server systems there is no Security Center like on desktop systems. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 16, 2020 Most Valued Members Share Posted February 16, 2020 (edited) 23 minutes ago, Marcos said: On Windows server systems there is no Security Center like on desktop systems. If I understood correct , then I believe it's available in SRV 19 In SRV 16 , defender is among Update settings and etc.. 19 is based on 1809 , so it has the stuff that was made for 1809 16 is 1607 Edited February 16, 2020 by Rami Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 16, 2020 Share Posted February 16, 2020 (edited) 45 minutes ago, Rami said: In SRV 16 , defender is among Update settings and etc.. 19 is based on 1809 , so it has the stuff that was made for 1809 Does Windows Security Center exist on your SRV 19 installation? If it doesn't, I see no way for third party AV's to disable WD since WSC is their interface mechanism to WD settings. Edited February 16, 2020 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 16, 2020 Administrators Share Posted February 16, 2020 https://support.microsoft.com/en-us/help/3190315/outlook-trust-center-shows-your-antivirus-status-as-unavailable-this-v "Windows Security Center is not supported on server operating system versions. For this reason Outlook is unable to check antivirus status when installed on a Windows Server." Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 16, 2020 Share Posted February 16, 2020 Here's the Microsoft article on how to disable/uninstall WD on server installations. Of note is it specifically references Server 2016 only: Ref.: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016 Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 16, 2020 Share Posted February 16, 2020 (edited) According to this video, it does appears that Server 2019 does use Windows Security Center: https://www.youtube.com/watch?v=dy3srtihjwU The difference with client versions is WCS doesn't show on the desktop toolbar? Edited February 16, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 16, 2020 Most Valued Members Share Posted February 16, 2020 (edited) 5 minutes ago, itman said: According to this video, it does appears that Server 2019 does use Windows Security Center: https://www.youtube.com/watch?v=dy3srtihjwU The difference with client versions is WCS doesn't show on the desktop toolbar? It uses it , but doesn't show you what AV is currently active , only that the realtime is not running(which should be not running because ESET is running) I do understand now what Marcos means. Edited February 16, 2020 by Rami Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 16, 2020 Share Posted February 16, 2020 (edited) 9 minutes ago, Rami said: It uses it , but doesn't show you what AV is currently active , only that the realtime is not running(which should be not running because ESET is running) I do understand now what Marcos means. Which means that it can't be managed in regards to third party AV installation. WD needs to be uninstalled via the MS article options for Server 2016. Also one way to determine which AV is actually installed would be to verify if "Controlled Folders" exists since it only applies to WD Edited February 16, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 16, 2020 Most Valued Members Share Posted February 16, 2020 (edited) 2 minutes ago, itman said: Which means that it can't be managed in regards to third party AV installation. WD needs to be uninstalled via the MS article options for Server 2016. It can be , I disabled both WD Real-Time scanning and kept ESET running , never had any trouble. 16+19 ^^ Edited February 16, 2020 by Rami Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 16, 2020 Share Posted February 16, 2020 (edited) 4 minutes ago, Rami said: I disabled both WD Real-Time scanning Assumed you did this via Group Policy. I assume you left other WD protections active. Edited February 16, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 16, 2020 Share Posted February 16, 2020 (edited) I will also add this comment. It is time both Microsoft and Eset clarify what is the correct procedure in regards to WD ATP use on Server 2019. As it stands presently, the implication is all that needs to be disabled via Group Policy is WD real-time protection. And that the other WD protections such as subscription based ATP features can run concurrently with Eset EFS. Then there is the WD behavior monitoring which includes cloud scanning. What happens if it detects malware via cloud scanning? Does the WD quarantine feature still work if WD real-time scanning is disabled? Edited February 16, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 17, 2020 Most Valued Members Share Posted February 17, 2020 16 hours ago, itman said: Assumed you did this via Group Policy. I assume you left other WD protections active. Not via Group Policy , It's the same steps as disabling it in Windows 10 , Go to security/windows defender settings , realtime-scanning - OFF , and that's it , ESET is running instead. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 17, 2020 Share Posted February 17, 2020 (edited) 6 hours ago, Rami said: Not via Group Policy , It's the same steps as disabling it in Windows 10 , Go to security/windows defender settings , realtime-scanning - OFF , and that's it , ESET is running instead. As shown in this article: https://documentation.sisense.com/latest/content/disabledefender.htm#gsc.tab=0 , all that does is disable real-time protection. Most importantly, this excerpt from the linked article: Quote Once you've completed the steps, the Windows Server 2019 antivirus will disable its real-time protection temporarily. However, because this is a temporary solution, the next time you restart your computer Windows Defender Antivirus will re-enable automatically on your machine. Regardless, all other WD ATP protections remain in effect. When WD is disabled by Eset in Win 10, all functionality is disabled. As such, my prior posting concerns in regards to running EFS concurrent with those other still enabled WD APT protections remain. They still need to be explored with recommendations rendered. Edited February 17, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 17, 2020 Share Posted February 17, 2020 (edited) Believe I have finally found the solution in regards to Win Server 1803/2019: Quote (1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine. If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: ForceDefenderPassiveMode Value: 1 https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility Assumed is the server needs to be rebooted to make the above effective. The above link also explains what "passive mode" means. Also of note is the above is a "hard" setting to passive mode as I understand it. This means that if Eset real-time protection malfunctions for some reason, there will be no auto fall-back to WD ATP as real-time protection. The only way to re-enable WD ATP real-time protections is to reset the above reg. key to a value of "0" and reboot the server. Also for Eset, auto setting the above registry key on Win Server 1803/2019 needs to be done at Eset product installation time. Edited February 17, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 18, 2020 Share Posted February 18, 2020 Also in regards to this question: On 2/14/2020 at 2:30 PM, tmuster2k said: However the Windows Defender Antivirus Service shows in "Services" as still running. Is this tied into anything else other than AV protection like the windows security center for reporting health of AV products running on this platform? In other words is it normal to have this service running when EFS is also running on the same system. The answer is yes when WD ATP is running in "passive" mode: Quote Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 18, 2020 Most Valued Members Share Posted February 18, 2020 6 hours ago, itman said: Also in regards to this question: The answer is yes when WD ATP is running in "passive" mode: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility It's running always in the background , also do download updates and make some weekly scans by default , it's still running , but not as REALTIME Link to comment Share on other sites More sharing options...
tmuster2k 22 Posted February 18, 2020 Author Share Posted February 18, 2020 Thank you for confirming this information for me. Link to comment Share on other sites More sharing options...
Recommended Posts