Windows Defender still running after install of Eset Internet Security

[AlinDroiid 0]

Hi, I would like to ask if anyone else has this problem, because after installing EIS, Windows Defender is not disabled even though it is shown as disabled in the settings, even after a reboot. 
When Eset analyzes some downloaded file or sometimes when I browse web pages both antivirus use a lot of the processor.
Sometimes I notice performance drops, 
Please I would be very grateful for any help you can give me. 

[Marcos 4,704]

It's Windows itself that disables Defender when another 3rd party AV registers in the Security Center. You can open a support ticket for further troubleshooting, however, it's unlikely that we'll be able to help. What you could try is rebuilding the WMI repository as per https://techcommunity.microsoft.com/t5/ask-the-performance-team/wmi-rebuilding-the-wmi-repository/ba-p/373846.

[itman 1,538]

18 minutes ago, AlinDroiid said:

Hi, I would like to ask if anyone else has this problem, because after installing EIS, Windows Defender is not disabled even though it is shown as disabled in the settings, even after a reboot. 

In Windows Security Center -> Threat & Protection setting, verify that you have not enabled Periodic scanning per below screen shot. If Period scanning is enabled, the Windows Defender engine will load at system startup and remaining running regardless of if a scan is being performed.

Edited November 19, 2022 by itman

[Marcos 4,704]

If you are using Windows 11, Microsoft has added "Smart App Control" which is enabled by default and leverages the Defender service.

[New_Style_xd 62]

3 hours ago, Marcos said:

If you are using Windows 11, Microsoft has added "Smart App Control" which is enabled by default and leverages the Defender service.

I did the test here with Kaspersky and Windows Defender after installing Kaspersky it automatically and deactivated.
The hard part is knowing how Kaspersky does this deactivation.

[Marcos 4,704]

We do not deactivate Defender at all (I'm not sure if MS even allows it). Instead AVs are requested to register in the Security Center and it's Windows which deactivates Defender then automatically.

[itman 1,538]

4 hours ago, Marcos said:

If you are using Windows 11, Microsoft has added "Smart App Control" which is enabled by default

Here's an article on it: https://beebom.com/what-is-smart-app-control-windows-11-enable-it/ . By default, it runs initially in "evaluation" mode and will only be activated (supposedly) if it finds suspicious activity.

When Win 11 was introduced, this feature caused issues for some resulting with many just disabling the feature. Of note is once disabled, it can only be reactivated by performing an OS reinstall.

[itman 1,538]

Another reason not to rely on Smart App Control for malware detection.

Smart App Control's primary protection method is its cloud scanning component. Smart App Control like Microsoft Defender uses file "Mark of the Web" (MotW) status criteria for cloud scanning: https://twitter.com/dwizzzleMSFT/status/1554283569685573633 . There currently exists a vulnerability in MotW: https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/ , yet to be patched by Microsoft, that is currently being actively exploited by hackers. In reality and withstanding any vulnerability status, it is rather trivial to strip MotW ADS from a file download.

Finally, Smart App Control's secondary protection method is app signature status. It will allow signed apps to run unimpeded. Note that malware developers are increasingly using signed malware.

Edited November 21, 2022 by itman

[SeriousHoax 76]

Since Windows 11 22H2, the Defender service is always on with all AV products. It's the norm now. But it won't cause any CPU or Disk usage, it stays idle but will update signatures at least once a day/after every system start or restart if fast startup is off.  

2 hours ago, New_Style_xd said:

I did the test here with Kaspersky and Windows Defender after installing Kaspersky it automatically and deactivated.
The hard part is knowing how Kaspersky does this deactivation.

I tested Kaspersky even today, and it didn't turn off the Defender service. There must have been some other issues. Mine is freshly installed 22H2 BTW, not an update over 22H1.

[AlinDroiid 0]

Thank you all very much for your answers, so it is because of Windows 11 and its new update. In my case along with the performance errors with Nvidia GPUs, I think I will have to go back to Windows 10. 

[itman 1,538]

4 hours ago, SeriousHoax said:

But it won't cause any CPU or Disk usage

It's using 80+ 115 MB of memory if I recall correctly as shown in the above screen shot.

It is also possible to disable MD in Win 11: https://winaero.com/how-to-disable-defender-in-windows-11/

Edited November 21, 2022 by itman

[SeriousHoax 76]

19 minutes ago, itman said:

It's using 80+ MB of memory if I recall correctly.

It is also possible to disable MD in Win 11: https://www.alphr.com/disable-windows-defender-windows-11/

Yeah, it uses some ram which will vary from system to system, but there's no CPU usage or any disk activity. Any usual methods like GPO doesn't work to disable the service. Other methods described by turning off tamper protection, taking ownership, changing permission, etc. should work.

I have a bat script to disable the Defender service after turning off tamper protection, but won't really recommend that to novice users since the service doesn't cause any harm.

So yeah, the Defender service running even with third-party AV installed is currently the expected behavior in Windows 11 22H2.

Edited November 21, 2022 by SeriousHoax

[itman 1,538]

1 hour ago, SeriousHoax said:

Yeah, it uses some ram which will vary from system to system, but there's no CPU usage or any disk activity.

The question is if WD built-in sandbox protection is enabled when running in Win 11 passive protection mode? The WD engine is a huge potential attack surface for hackers.

-EDIT- Well, assume that the WD sandbox is disabled:

Quote

Microsoft describes the Sandbox as "Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers to avoid a substantial performance cost."

Sandbox is disabled by default and only available for builds 1709 and newer.

https://www.majorgeeks.com/content/page/how_to_enable_the_windows_defender_sandbox_in_windows_10.html

Edited November 21, 2022 by itman

[SeriousHoax 76]

On 11/22/2022 at 1:56 AM, itman said:

-EDIT- Well, assume that the WD sandbox is disabled:

It came enabled by default when Windows 11 came out without third-party AV installed. But a few months later they pushed an update somewhere along the way, either part of a Defender update or Windows update, which disabled the sandbox. It even got disabled in Windows Insider editions. Later it was enabled in Windows 11 insider editions once again. So performance impact or some bugs made MS disable it. I for example found a bug when MD won't delete threats when sandbox is enabled. It only blocked, but didn't delete.

[itman 1,538]

It appears to me that the reason MS is running Defender in Win 11 is to support SmartApp cloud scanning. I wonder if SmartApp was permanently disabled, Defender would revert to Win 10 behavior and not load at system startup time? This would be preferable to permanently disabling MD. I assume with MD permanently disabled, it will not auto startup if there's an issue with an installed third party AV real-time protection.

[SeriousHoax 76]

On 11/23/2022 at 5:52 AM, itman said:

It appears to me that the reason MS is running Defender in Win 11 is to support SmartApp cloud scanning. I wonder if SmartApp was permanently disabled, Defender would revert to Win 10 behavior and not load at system startup time? This would be preferable to permanently disabling MD. I assume with MD permanently disabled, it will not auto startup if there's an issue with an installed third party AV real-time protection.

No, it's on even when Smart App Control is disabled. My SAC got auto disabled 1 day after my Windows 22H2 installation, but the Defender service kept running. It's the same for everyone.