Jump to content

HIPS blocks Windows Defender installation

Recommended Posts


Initial state: Windows Server 2016 without windows-defender feature, Eset Server Security 9.0.12013 with enabled HIPS

If I try to install Defender (install-windowsfeature windows-defender), it requires a restart, and after the restart it is not installed.

Noticed, that disabling Eset HIPS for the installation solves the issue.

Enabled HIPS / blocked events logging and tried again. 

It logged this event during the defender install: 

12/7/2022 4:38:42 PM;C:\Windows\System32\poqexec.exe;Get access to file;C:\Windows\ELAMBKUP\;Blocked;Self-Defense: Protect ESET files;Write to file

So added the poqexec (full path) to the rules, with "All file operations" and target files: C:\Windows\ELAMBKUP\WdBoot.sys. Still blocked.

Changed target files to "All target files", still blocked.

Turned out that the HIPS' "Self defense" function is the culprit, and if it is enabled, the above allowed rules are completely ignored.

Is this a bug or the expected operation? 




Link to comment
Share on other sites

  • Administrators

You cannot use both a time. Is there a problem enabling Defender after turning off ESET's real-time protection completely in the advanced setup?

Link to comment
Share on other sites

Actually, Microsoft Defender is installed on Win Server 2016.

Refer to this article: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide on how to set it to run in passive mode when using a third party AV solution.


On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows:

  • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • Name: ForceDefenderPassiveMode
  • Type: REG_DWORD
  • Value: 1

You can view your protection status in PowerShell by using the command Get-MpComputerStatus. Check the value for AMRunningMode. You should see Normal, Passive, or EDR Block Mode if Microsoft Defender Antivirus is enabled on the endpoint.


For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in Onboard Windows servers.

(3) On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you are using a non-Microsoft antivirus product on an endpoint that is not onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.

Edited by itman
Link to comment
Share on other sites

  • Administrators

On Windows server systems there is no Windows Security to register 3rd party AVs into so other mechanisms are used to disable Defender. Running Defender concurrently with ESET or another AV could lead to issues.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...