Environment
- Endpoint Standard Sensor: v2.1.0.11 and Higher
- Microsoft Windows: Windows Vista and Higher
Symptoms
- Endpoint performance hit after either 1) upgrading Sensor or 2) upgrading OS
- Windows Security Center (WSC) shows both Endpoint Standard and Defender as running
- Carbon Black Cloud Policy has "Use Windows Security Center" enabled
Cause
Group Policy has the ability to disable anyone from stopping Defender through WSC integration when set to DISABLED
Location of Setting:
Computer Configuration-> Administrative Templates-> Windows Components-> Microsoft Defender Antivirus-> Turn off Microsoft Defender Antivirus
Resolution
To allow WSC integration to disable Windows Defender
- Edit Group Policy so that Computer Configuration-> Administrative Templates-> Windows Components-> Microsoft Defender Antivirus-> Turn off Microsoft Defender Antivirus is set to Enabled or Not Configured
To keep Windows Defender and Endpoint Standard running together
- Add Permissions rules or Exclusions for both Defender and Endpoint Standard so they are not scanning one another to improve performance
Additional Notes
- If the desire is to keep Windows Defender and Endpoint Standard (or any other AV) running on the same endpoint at the same time, it is recommended to have exclusions in each product for the other, to prevent the two from interfering with one another
- Keeping both security products active but without adding exclusions has a performance impact as each one is scanning the behavior of the other while it is also scanning
Related Content
