Jump to content

Windows Defender still running after install of Eset Internet Security


Recommended Posts

Hi, I would like to ask if anyone else has this problem, because after installing EIS, Windows Defender is not disabled even though it is shown as disabled in the settings, even after a reboot. 
When Eset analyzes some downloaded file or sometimes when I browse web pages both antivirus use a lot of the processor.
Sometimes I notice performance drops, 
Please I would be very grateful for any help you can give me. 

Captura de pantalla 2022-11-19 184611.png

Captura de pantalla 2022-11-19 184901.png

Link to comment
Share on other sites

  • Administrators

It's Windows itself that disables Defender when another 3rd party AV registers in the Security Center. You can open a support ticket for further troubleshooting, however, it's unlikely that we'll be able to help. What you could try is rebuilding the WMI repository as per https://techcommunity.microsoft.com/t5/ask-the-performance-team/wmi-rebuilding-the-wmi-repository/ba-p/373846.

Link to comment
Share on other sites

18 minutes ago, AlinDroiid said:

Hi, I would like to ask if anyone else has this problem, because after installing EIS, Windows Defender is not disabled even though it is shown as disabled in the settings, even after a reboot. 

In Windows Security Center -> Threat & Protection setting, verify that you have not enabled Periodic scanning per below screen shot. If Period scanning is enabled, the Windows Defender engine will load at system startup and remaining running regardless of if a scan is being performed.

Eset_WSD.thumb.png.e6993bfd943b485001934d25cfb67a3d.png

Edited by itman
Link to comment
Share on other sites

3 hours ago, Marcos said:

If you are using Windows 11, Microsoft has added "Smart App Control" which is enabled by default and leverages the Defender service.

I did the test here with Kaspersky and Windows Defender after installing Kaspersky it automatically and deactivated.
The hard part is knowing how Kaspersky does this deactivation.

Link to comment
Share on other sites

  • Administrators

We do not deactivate Defender at all (I'm not sure if MS even allows it). Instead AVs are requested to register in the Security Center and it's Windows which deactivates Defender then automatically.

Link to comment
Share on other sites

4 hours ago, Marcos said:

If you are using Windows 11, Microsoft has added "Smart App Control" which is enabled by default

Here's an article on it: https://beebom.com/what-is-smart-app-control-windows-11-enable-it/ . By default, it runs initially in "evaluation" mode and will only be activated (supposedly) if it finds suspicious activity.

When Win 11 was introduced, this feature caused issues for some resulting with many just disabling the feature. Of note is once disabled, it can only be reactivated by performing an OS reinstall.

Link to comment
Share on other sites

Another reason not to rely on Smart App Control for malware detection.

Smart App Control's primary protection method is its cloud scanning component. Smart App Control like Microsoft Defender uses file "Mark of the Web" (MotW) status criteria for cloud scanning: https://twitter.com/dwizzzleMSFT/status/1554283569685573633 . There currently exists a vulnerability in MotW: https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/ , yet to be patched by Microsoft, that is currently being actively exploited by hackers. In reality and withstanding any vulnerability status, it is rather trivial to strip MotW ADS from a file download.

Finally, Smart App Control's secondary protection method is app signature status. It will allow signed apps to run unimpeded. Note that malware developers are increasingly using signed malware.

Edited by itman
Link to comment
Share on other sites

Since Windows 11 22H2, the Defender service is always on with all AV products. It's the norm now. But it won't cause any CPU or Disk usage, it stays idle but will update signatures at least once a day/after every system start or restart if fast startup is off.  

2 hours ago, New_Style_xd said:

I did the test here with Kaspersky and Windows Defender after installing Kaspersky it automatically and deactivated.
The hard part is knowing how Kaspersky does this deactivation.

I tested Kaspersky even today, and it didn't turn off the Defender service. There must have been some other issues. Mine is freshly installed 22H2 BTW, not an update over 22H1.

Link to comment
Share on other sites

Thank you all very much for your answers, so it is because of Windows 11 and its new update. In my case along with the performance errors with Nvidia GPUs, I think I will have to go back to Windows 10. 

Link to comment
Share on other sites

4 hours ago, SeriousHoax said:

But it won't cause any CPU or Disk usage

It's using 80+ 115 MB of memory if I recall correctly as shown in the above screen shot.

It is also possible to disable MD in Win 11: https://winaero.com/how-to-disable-defender-in-windows-11/

Edited by itman
Link to comment
Share on other sites

19 minutes ago, itman said:

It's using 80+ MB of memory if I recall correctly.

It is also possible to disable MD in Win 11: https://www.alphr.com/disable-windows-defender-windows-11/

Yeah, it uses some ram which will vary from system to system, but there's no CPU usage or any disk activity. Any usual methods like GPO doesn't work to disable the service. Other methods described by turning off tamper protection, taking ownership, changing permission, etc. should work.

I have a bat script to disable the Defender service after turning off tamper protection, but won't really recommend that to novice users since the service doesn't cause any harm.

So yeah, the Defender service running even with third-party AV installed is currently the expected behavior in Windows 11 22H2.

Edited by SeriousHoax
Link to comment
Share on other sites

1 hour ago, SeriousHoax said:

Yeah, it uses some ram which will vary from system to system, but there's no CPU usage or any disk activity.

The question is if WD built-in sandbox protection is enabled when running in Win 11 passive protection mode? The WD engine is a huge potential attack surface for hackers.

-EDIT- Well, assume that the WD sandbox is disabled:

Quote

Microsoft describes the Sandbox as "Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers to avoid a substantial performance cost."

Sandbox is disabled by default and only available for builds 1709 and newer.

https://www.majorgeeks.com/content/page/how_to_enable_the_windows_defender_sandbox_in_windows_10.html

Edited by itman
Link to comment
Share on other sites

On 11/22/2022 at 1:56 AM, itman said:

-EDIT- Well, assume that the WD sandbox is disabled:

It came enabled by default when Windows 11 came out without third-party AV installed. But a few months later they pushed an update somewhere along the way, either part of a Defender update or Windows update, which disabled the sandbox. It even got disabled in Windows Insider editions. Later it was enabled in Windows 11 insider editions once again. So performance impact or some bugs made MS disable it. I for example found a bug when MD won't delete threats when sandbox is enabled. It only blocked, but didn't delete.

Link to comment
Share on other sites

It appears to me that the reason MS is running Defender in Win 11 is to support SmartApp cloud scanning. I wonder if SmartApp was permanently disabled, Defender would revert to Win 10 behavior and not load at system startup time? This would be preferable to permanently disabling MD. I assume with MD permanently disabled, it will not auto startup if there's an issue with an installed third party AV real-time protection.

Link to comment
Share on other sites

On 11/23/2022 at 5:52 AM, itman said:

It appears to me that the reason MS is running Defender in Win 11 is to support SmartApp cloud scanning. I wonder if SmartApp was permanently disabled, Defender would revert to Win 10 behavior and not load at system startup time? This would be preferable to permanently disabling MD. I assume with MD permanently disabled, it will not auto startup if there's an issue with an installed third party AV real-time protection.

No, it's on even when Smart App Control is disabled. My SAC got auto disabled 1 day after my Windows 22H2 installation, but the Defender service kept running. It's the same for everyone.  

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...