Forum Discussion
LucaCavana
Jan 31, 2022Iron Contributor
Microsoft Defender for Endpoint freeze Windows Server 2012 R2
Hello, We onboarded several Windows Server 2012 R2 VM and physical servers on to Microsoft Defender for Endpoint using the new onboarding package by following this doc "https://docs.microsoft.com/en-...
paolotela
Feb 17, 2022Copper Contributor
Hi Luca,
thank you very much for your suggestion ! We are in the middle of a transition phase between two antivirus products, Cylance Protect (former one) and MDE (new one). They both are running on many servers. Maybe there a correlation/interference and maybe the storage behaviour comes from this. We will do the RAM collection and I'll let you know.
thank you very much for your suggestion ! We are in the middle of a transition phase between two antivirus products, Cylance Protect (former one) and MDE (new one). They both are running on many servers. Maybe there a correlation/interference and maybe the storage behaviour comes from this. We will do the RAM collection and I'll let you know.
Paul_Huijbregts
Feb 17, 2022Microsoft
Hi Luca and Paolo, I think it's very important here to point out that running any security solution alongside another requires some consideration around interaction and identify then configure required exclusions or running mode.
The recommendation is firstly to avoid 2 active AV solutions (like Defender AV+Cylance) as they would both be in the real-time blocking path. Recommend running in Defender Antivirus passive mode until such time Cylance is uninstalled, unless the intent is to maintain Cylance as the AV (but we recommend running our full stack, see https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#how-microsoft-defender-antivirus-affects-defender-for-endpoint-functionality to learn about affected functionality).
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide has a lot of good information on how to switch over, including using passive mode. Paolo, I suggest investigating this approach for your scenario before opening a support case.
Then, if the other security solution is not in the blocking path (like AV), please consult the tool's documentation for suggested AV exclusions. If there are none, the performance analyzer tool (note this is not the connectivity analyzer tool) can help with identification: https://docs.microsoft.com/en-us/security/defender-endpoint/tune-performance-defender-antivirus
Turning off Defender Antivirus altogether in the context of (being onboarded to) Microsoft Defender for Endpoint is not recommended for production; either apply the right exclusions in case of interaction with non-AV, else consider passive mode to coexist with non-Microsoft antimalware solutions.
The recommendation is firstly to avoid 2 active AV solutions (like Defender AV+Cylance) as they would both be in the real-time blocking path. Recommend running in Defender Antivirus passive mode until such time Cylance is uninstalled, unless the intent is to maintain Cylance as the AV (but we recommend running our full stack, see https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#how-microsoft-defender-antivirus-affects-defender-for-endpoint-functionality to learn about affected functionality).
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide has a lot of good information on how to switch over, including using passive mode. Paolo, I suggest investigating this approach for your scenario before opening a support case.
Then, if the other security solution is not in the blocking path (like AV), please consult the tool's documentation for suggested AV exclusions. If there are none, the performance analyzer tool (note this is not the connectivity analyzer tool) can help with identification: https://docs.microsoft.com/en-us/security/defender-endpoint/tune-performance-defender-antivirus
Turning off Defender Antivirus altogether in the context of (being onboarded to) Microsoft Defender for Endpoint is not recommended for production; either apply the right exclusions in case of interaction with non-AV, else consider passive mode to coexist with non-Microsoft antimalware solutions.
- LucaCavanaFeb 17, 2022Iron ContributorHello PaulHb,
it's a little different in our case.
The former antivirus solution is of course uninstalled (it was Trend Micro) before installing the Defender AV on 2012 R2 server, as well all the other supported OS.
The problem was the third party EDR (SecureWorks). We did not foresee it as a possible source of problems and the customer does not want to decommission it.
It looks like we resolved by excluding the MDE paths and processes from SecureWorks (on which we have no control on).- Paul_HuijbregtsFeb 17, 2022MicrosoftThanks Luca - whilst my reply was targeted at multiple scenarios, in your specific case the paragraph around setting exclusions for MDE processes in the non-Microsoft solution applies; as well as the general recommendation to proceed with caution in any such scenario.
Appreciate your work with our support team to get to a resolution path!