HIPS blocks Windows Defender installation

[ludolf 6]

Hello

Initial state: Windows Server 2016 without windows-defender feature, Eset Server Security 9.0.12013 with enabled HIPS

If I try to install Defender (install-windowsfeature windows-defender), it requires a restart, and after the restart it is not installed.

Noticed, that disabling Eset HIPS for the installation solves the issue.

Enabled HIPS / blocked events logging and tried again. 

It logged this event during the defender install: 

12/7/2022 4:38:42 PM;C:\Windows\System32\poqexec.exe;Get access to file;C:\Windows\ELAMBKUP\;Blocked;Self-Defense: Protect ESET files;Write to file

So added the poqexec (full path) to the rules, with "All file operations" and target files: C:\Windows\ELAMBKUP\WdBoot.sys. Still blocked.

Changed target files to "All target files", still blocked.

Turned out that the HIPS' "Self defense" function is the culprit, and if it is enabled, the above allowed rules are completely ignored.

Is this a bug or the expected operation? 

thanks

 

 

[Marcos 5,069]

Do you want to keep ESET's real-time protection disabled and use Windows Defender instead or what are you trying to achieve?

[ludolf 6]

Tyring to use both solution. There are features in them, which is missing in the other. 

[Marcos 5,069]

You cannot use both a time. Is there a problem enabling Defender after turning off ESET's real-time protection completely in the advanced setup?

[ludolf 6]

There is no other issue with them, they can run paralell.

[itman 1,659]

Actually, Microsoft Defender is installed on Win Server 2016.

Refer to this article: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide on how to set it to run in passive mode when using a third party AV solution.

Quote

On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows:

• Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
• Name: ForceDefenderPassiveMode
• Type: REG_DWORD
• Value: 1

You can view your protection status in PowerShell by using the command Get-MpComputerStatus. Check the value for AMRunningMode. You should see Normal, Passive, or EDR Block Mode if Microsoft Defender Antivirus is enabled on the endpoint.

Note

For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in Onboard Windows servers.

(3) On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you are using a non-Microsoft antivirus product on an endpoint that is not onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.

Edited December 7, 2022 by itman

[Marcos 5,069]

On Windows server systems there is no Windows Security to register 3rd party AVs into so other mechanisms are used to disable Defender. Running Defender concurrently with ESET or another AV could lead to issues.