Scheduled Scans with Defender AV with ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-1322777%22%20slang%3D%22en-US%22%3EScheduled%20Scans%20with%20Defender%20AV%20with%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322777%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20afternoon.%26nbsp%3B%20I'm%20working%20on%20migrating%20our%20company%20over%20to%20Microsoft%20Defender%20AV%20with%20Defender%20ATP%20as%20ATP%20is%20included%20in%20our%20E5%20license.%26nbsp%3B%20Is%20there%20any%20guidance%20regarding%20running%20scheduled%20AV%20scans%20with%20Defender%20Antivirus%20when%20making%20use%20of%20Defender%20ATP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20need%20to%20run%20scheduled%20scans%20with%20Defender%20Antivirus%20or%20does%20Defender%20ATP%20cover%20that%20aspect%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20looking%20online%20and%20reading%20through%20some%20other%20post%20but%20have%20not%20found%20anything%20definite%20regarding%20is%20scheduled%20quick%20or%20full%20scans%20with%20Defender%20Antivirus%20are%20recommend%20to%20supplement%20the%20protection%20provided%20by%20ATP%20so%20any%20assistance%20with%20this%20would%20be%20appreciated.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1322777%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDefender%20AV%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378965%22%20slang%3D%22en-US%22%3ERe%3A%20Scheduled%20Scans%20with%20Defender%20AV%20with%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378965%22%20slang%3D%22en-US%22%3EScheduled%20scans%20are%20all%20but%20obsolete%20now%20that%20most%20good%20malware%20is%20polymorphic%20and%20obfuscates%20itself%20to%20evade%20traditional%20virus%20definitions.%20If%20real-time%20protection%20is%20enabled%2C%20then%20in%20theory%20a%20scheduled%20scan%20shouldn't%20be%20needed%20other%20than%20upon%20first%20installation%20to%20verify%20the%20prior%20disk%20contents%20(because%20real-time%20protection%20will%20scan%20all%20new%20added%20content).%3CBR%20%2F%3ESo%20a%20weekly%20scan%20is%20probably%20fine%20but%20I%20wouldn't%20recommend%20daily%20-%20the%20risk%2Freward%20ratio%20just%20isn't%20there%20when%20you%20consider%20the%20CPU%20overhead%20costs%20of%20scans.%20This%20is%20just%20my%20opinion.%3CBR%20%2F%3EHere%20is%20where%20you%20can%20find%20those%20settings%20using%20GPO%2C%20PowerShell%2C%20Intune%20or%20MEM%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-advanced-scan-types-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-advanced-scan-types-windows-defender-antivirus%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387560%22%20slang%3D%22en-US%22%3ERe%3A%20Scheduled%20Scans%20with%20Defender%20AV%20with%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387560%22%20slang%3D%22en-US%22%3EJoe%2C%20Thanks%20for%20your%20reply.%20I%20think%20we%20are%20going%20to%20go%20ahead%20and%20not%20have%20scheduled%20scans%20in%20place.%20I'm%20not%20sure%20if%20you%20know%20the%20answer%20to%20this%20question%20or%20not%20but%20I'm%20using%20this%20documentation%20when%20working%20on%20our%20Anti-Malware%20policy%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fuse-group-policy-windows-defender-antivirus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fuse-group-policy-windows-defender-antivirus%3C%2FA%3E%20What%20I'm%20trying%20to%20find%20the%20answer%20to%20is%20why%20the%20settings%20under%20the%20Reporting%2C%20Network%20Inspection%2C%20and%20Root%20section%20of%20the%20Windows%20Defender%20Antivirus%20are%20being%20marked%20as%20Not%20Used%3F%20Are%20these%20settings%20not%20supported%20anymore%3F%20An%20example%20would%20be%20%22Configure%20Watson%20Events%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389924%22%20slang%3D%22en-US%22%3ERe%3A%20Scheduled%20Scans%20with%20Defender%20AV%20with%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389924%22%20slang%3D%22en-US%22%3EGreat%20question%2C%20I%20will%20research%20this%20and%20get%20back%20to%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1393071%22%20slang%3D%22en-US%22%3ERe%3A%20Scheduled%20Scans%20with%20Defender%20AV%20with%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1393071%22%20slang%3D%22en-US%22%3EAccording%20to%20the%20MSFT%20Documentation%20team%2C%20(I%20opened%20a%20ticket%20in%20Github%20to%20confirm)%2C%20it%20means%20the%20documentation%20article%20has%20not%20yet%20been%20created.%20Notice%20how%20all%20the%20other%20items%20have%20articles%20in%20that%20same%20column.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Good afternoon.  I'm working on migrating our company over to Microsoft Defender AV with Defender ATP as ATP is included in our E5 license.  Is there any guidance regarding running scheduled AV scans with Defender Antivirus when making use of Defender ATP?

 

Is there any need to run scheduled scans with Defender Antivirus or does Defender ATP cover that aspect?

 

I have been looking online and reading through some other post but have not found anything definite regarding is scheduled quick or full scans with Defender Antivirus are recommend to supplement the protection provided by ATP so any assistance with this would be appreciated.  Thank you.

3 Replies
Highlighted
Scheduled scans are all but obsolete now that most good malware is polymorphic and obfuscates itself to evade traditional virus definitions. If real-time protection is enabled, then in theory a scheduled scan shouldn't be needed other than upon first installation to verify the prior disk contents (because real-time protection will scan all new added content).
So a weekly scan is probably fine but I wouldn't recommend daily - the risk/reward ratio just isn't there when you consider the CPU overhead costs of scans. This is just my opinion.
Here is where you can find those settings using GPO, PowerShell, Intune or MEM
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/confi...
Highlighted
Joe, Thanks for your reply. I think we are going to go ahead and not have scheduled scans in place. I'm not sure if you know the answer to this question or not but I'm using this documentation when working on our Anti-Malware policy https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/use-g... What I'm trying to find the answer to is why the settings under the Reporting, Network Inspection, and Root section of the Windows Defender Antivirus are being marked as Not Used? Are these settings not supported anymore? An example would be "Configure Watson Events"
Highlighted
According to the MSFT Documentation team, (I opened a ticket in Github to confirm), it means the documentation article has not yet been created. Notice how all the other items have articles in that same column.