Forum Discussion

neurotoxic's avatar
neurotoxic
Copper Contributor
Feb 13, 2022

Disabling MDE Antirivus and AntiSpam

 

Microsoft Defender for EndPoint question: Target Windows 10 workstations. 

 

Since an organization already has a mature AV and AS (TrendMicro) deployed on all workstations, and want to active Defender for Endpoint. How and where to disable ONLY AV and AntiSpam feature? Trying to not create two different providers create havoc interfering with each others functioning. 

 

Thanks,

  • MDE is reliant on Defender Antivirus in order to gather info etc on Windows 10, so Defender antivirus will start running in passive mode in the background, once you activate MDE.

    Since Attack surface reduction rules. controlled folder access and other advanced protection features are all reliant on MDAV running in active mode (realtime scan), you will not be able to use most of those, but you can still use the EDR block mode of MDE.

    (So, you will not just be disabling realtime AV and AS, but also some other functionality)

    MDAV will start up in passive mode automatically when detecting Trend Micro is installed, so no particular settings are required in that sense, but you will need to make sure MDAV is not completely disabled in GPOs etc.

    I have seen an environment where MDAV actually ran in active mode with realtime scan enabled despite there being a third party AV installed though, so you should test this out on one of your devices.

    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide

  • Jonhed's avatar
    Jonhed
    Steel Contributor

    MDE is reliant on Defender Antivirus in order to gather info etc on Windows 10, so Defender antivirus will start running in passive mode in the background, once you activate MDE.

    Since Attack surface reduction rules. controlled folder access and other advanced protection features are all reliant on MDAV running in active mode (realtime scan), you will not be able to use most of those, but you can still use the EDR block mode of MDE.

    (So, you will not just be disabling realtime AV and AS, but also some other functionality)

    MDAV will start up in passive mode automatically when detecting Trend Micro is installed, so no particular settings are required in that sense, but you will need to make sure MDAV is not completely disabled in GPOs etc.

    I have seen an environment where MDAV actually ran in active mode with realtime scan enabled despite there being a third party AV installed though, so you should test this out on one of your devices.

    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide

Resources