Jump to content
tmuster2k

Windows Defender Cloud protection stays enabled

Recommended Posts

I did a clean install of latest ESET FILE SECURITY for Windows Server 2019 and notice it left the Windows Defender Cloud Delivered Protection still enabled and had to be manually turned off. Shouldn't EFS disable this like it does real time protection? Would it interfere with ESET CLOUD Protection?  Also I noticed with EFS installed the "Windows Defender Antivirus Service" is still set to Running. Shouldn't this be disabled or set to Stopped after install and activation of EFS?

Edited by tmuster2k

Share this post


Link to post
Share on other sites
On 2/12/2020 at 3:39 PM, tmuster2k said:

and notice it left the Windows Defender Cloud Delivered Protection still enabled and had to be manually turned off.

I believe Windows Defender Cloud Delivered Protection refers to WD Advanced Threat Protection which is only standard on Enterprise versions. On Win Pro+ versions is it an optional extra cost subscription.

If this is the case, check if Windows Defender AV is also enabled since WD ATP only works with WD anti-virus enabled. This ATP element might be why Eset didn't disable WD anti-virus.

Share this post


Link to post
Share on other sites
17 hours ago, itman said:

I believe Windows Defender Cloud Delivered Protection refers to WD Advanced Threat Protection which is only standard on Enterprise versions. On Win Pro+ versions is it an optional extra cost subscription.

If this is the case, check if Windows Defender AV is also enabled since WD ATP only works with WD anti-virus enabled. This ATP element might be why Eset didn't disable WD anti-virus.

Hello, Itman. So I did confirm in the "Security at a Glance" section that "Virus and Threat Protection" shows that "Real time Protection is turned off" which is fine because EFS is running and activated. However the Windows Defender Antivirus Service shows in "Services" as still running. Is this tied into anything else other than AV protection like the windows security center for reporting health of AV products running on this platform?  In other words is it normal to have this service running when EFS is also running on the same system. 

Share this post


Link to post
Share on other sites

 

2 hours ago, tmuster2k said:

So I did confirm in the "Security at a Glance" section that "Virus and Threat Protection" shows that "Real time Protection is turned off" which is fine

No, it is not fine. For Virus and Threat Protection, it should show "No action needed." Additionally when Virus and Threat Protection is opened, what is shown should be that per the below screen shot. I also am not familiar with EFS and it is possible that WD real-time runs concurrent with Eset's; but seriously doubt it :

 Eset_WDC.png.6345a9e1566f4b33061b888b7d282525.png

Another possibility is an issue with loading of Eset's ELAM driver on the server. In this case, the OS will automatic enable WD's real-time protection and run it concurrently with Eset's real-time protection. If this was the case, I would think that Security Center would show that WD was the real-time protection.

Edited by itman

Share this post


Link to post
Share on other sites

I did come across the following in the EFS 7 User Manual:

Quote

If you are installing ESET File Security on Windows Server 2016, Microsoft recommends to uninstall Windows Defender Features and withdraw from Windows Defender ATP enrollment to prevent problems caused by having multiple antivirus products installed on a machine.

https://download.eset.com/com/eset/apps/business/efs/windows/latest/eset_efsw_7_userguide_enu.pdf

Again the reference to WD ATP. Perhaps the above also applies to Windows Server 2019? My best guess it does. Since Eset makes such a reference, it is assumed that it does not manage WD on Server 2016+ installations as done for endpoint installations. -EDIT- See later posting in this thread: https://forum.eset.com/topic/22535-windows-defender-cloud-protection-stays-enabled/?do=findComment&comment=109348 for correct way to disable WD ATP on Win Server 1803/2019 installations. This also implies that on Win Server 2016+ versions, there is not auto fallback to WD real-time protection in the event of an Eset real-time protection malfunction.

Finally, I believe the above quoted MS recommendation is a bit bogus. Obviously, MS would not recommend you use anything other than the WD + WD ATP combo. So, I would say this is an Eset recommendation.

Here's how you uninstall Win Defender on Win Server 2019: https://www.digitpage.com/remove-windows-defender-using-powershell-server-2019/ .

Edited by itman

Share this post


Link to post
Share on other sites

ESET is running fine with both 16 and 19 for me

Defender is disabled(realtime) all else are defaults not changed.

Share this post


Link to post
Share on other sites
23 minutes ago, Marcos said:

On Windows server systems there is no Security Center like on desktop systems.

If I understood correct , then I believe it's available in SRV 19

In SRV 16 , defender is among Update settings and etc..
19 is based on 1809 , so it has the stuff that was made for 1809

16 is 1607

Edited by Rami

Share this post


Link to post
Share on other sites
45 minutes ago, Rami said:

In SRV 16 , defender is among Update settings and etc..
19 is based on 1809 , so it has the stuff that was made for 1809

Does Windows Security Center exist on your SRV 19 installation?

If it doesn't, I see no way for third party AV's to disable WD since WSC is their interface mechanism to WD settings.

Edited by itman

Share this post


Link to post
Share on other sites
5 minutes ago, itman said:

According to this video, it does appears that Server 2019 does use Windows Security Center: https://www.youtube.com/watch?v=dy3srtihjwU

The difference with client versions is WCS doesn't show on the desktop toolbar?

It uses it , but doesn't show you what AV is currently active , only that the realtime is not running(which should be not running because ESET is running)

I do understand now what Marcos means.

Edited by Rami

Share this post


Link to post
Share on other sites
9 minutes ago, Rami said:

It uses it , but doesn't show you what AV is currently active , only that the realtime is not running(which should be not running because ESET is running)

I do understand now what Marcos means.

Which means that it can't be managed in regards to third party AV installation. WD needs to be uninstalled via the MS article options for Server 2016.

Also one way to determine which AV is actually installed would be to verify if "Controlled Folders" exists since it only applies to WD

Edited by itman

Share this post


Link to post
Share on other sites
2 minutes ago, itman said:

Which means that it can't be managed in regards to third party AV installation. WD needs to be uninstalled via the MS article options for Server 2016.

It can be , I disabled both WD Real-Time scanning and kept ESET running , never had any trouble.

16+19 ^^

Edited by Rami

Share this post


Link to post
Share on other sites
4 minutes ago, Rami said:

I disabled both WD Real-Time scanning

Assumed you did this via Group Policy. I assume you left other WD protections active.

Edited by itman

Share this post


Link to post
Share on other sites

I will also add this comment.

It is time both Microsoft and Eset clarify what is the correct procedure in regards to WD ATP use on Server 2019. As it stands presently, the implication is all that needs to be disabled via Group Policy is WD real-time protection. And that the other WD protections such as subscription based ATP features can run concurrently with Eset EFS. Then there is the WD behavior monitoring which includes cloud scanning. What happens if it detects malware via cloud scanning? Does the WD quarantine feature still work if WD real-time scanning is disabled?

Edited by itman

Share this post


Link to post
Share on other sites
16 hours ago, itman said:

Assumed you did this via Group Policy. I assume you left other WD protections active.

Not via Group Policy , It's the same steps as disabling it in Windows 10 , Go to security/windows defender settings , realtime-scanning - OFF , and that's it , ESET is running instead.

Share this post


Link to post
Share on other sites
6 hours ago, Rami said:

Not via Group Policy , It's the same steps as disabling it in Windows 10 , Go to security/windows defender settings , realtime-scanning - OFF , and that's it , ESET is running instead.

As shown in this article: https://documentation.sisense.com/latest/content/disabledefender.htm#gsc.tab=0 , all that does is disable real-time protection. Most importantly, this excerpt from the linked article:

Quote

Once you've completed the steps, the Windows Server 2019 antivirus will disable its real-time protection temporarily. However, because this is a temporary solution, the next time you restart your computer Windows Defender Antivirus will re-enable automatically on your machine.

Regardless, all other WD ATP protections remain in effect. When WD is disabled by Eset in Win 10, all functionality is disabled.

As such, my prior posting concerns in regards to running EFS concurrent with those other still enabled WD APT protections remain. They still need to be explored with recommendations rendered.

 

Edited by itman

Share this post


Link to post
Share on other sites

Believe I have finally found the solution in regards to Win Server 1803/2019:

Quote

(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine. If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:

  • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • Name: ForceDefenderPassiveMode
  • Value: 1

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility

Assumed is the server needs to be rebooted to make the above effective.

The above link also explains what "passive mode" means. Also of note is the above is a "hard" setting to passive mode as I understand it. This means that if Eset real-time protection malfunctions for some reason, there will be no auto fall-back to WD ATP as real-time protection. The only way to re-enable WD ATP real-time protections is to reset the above reg. key to a value of "0" and reboot the server.

Also for Eset, auto setting the above registry key on Win Server 1803/2019 needs to be done at Eset product installation time.

Edited by itman

Share this post


Link to post
Share on other sites

Also in regards to this question:

On 2/14/2020 at 2:30 PM, tmuster2k said:

However the Windows Defender Antivirus Service shows in "Services" as still running. Is this tied into anything else other than AV protection like the windows security center for reporting health of AV products running on this platform?  In other words is it normal to have this service running when EFS is also running on the same system. 

The answer is yes when WD ATP is running in "passive" mode:

Quote

Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility

Share this post


Link to post
Share on other sites
6 hours ago, itman said:

Also in regards to this question:

The answer is yes when WD ATP is running in "passive" mode:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility

It's running always in the background , also do download updates and make some weekly scans by default , it's still running , but not as REALTIME

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...