Applies to Windows Agent version 10.0.x
Article No: 20301134757911
Antivirus
Problem
Some customers have found that even after setting exclusions in the primary antivirus solution, Microsoft Windows Defender, provided with the Windows OS, may still run in the background interfering with agent installation or installed files.
For example, one customer using Sentinel One found that Windows Defender was logging detections and blocking or removing files with no indication that action was taken. There was no notification, yet files were compromised.
Other customers may be relying on Microsoft's EDR capabilities in addition to another antivirus solution. In this case, if there are no exclusions or group policy control over Microsoft Defender, it will disable the Windows Agent.
Is Microsoft removing agent files?
To find out if Microsoft is interfering with deployment, check the Windows Defender operational log at an endpoint device where you attempted to install.
- Use Windows Search to find and open Event Viewer.
- In the left column, expand Applications and Services logs.
Open Microsoft | Windows and find and expand Windows Defender. - Select and review the Windows Defender Operational log.
In the middle column of the Event Viewer, look for any threats blocked from running that may be an agent file.
Solution
Add exclusions to Windows Defender.
Add exclusions via a Microsoft Security Group Policy or by using our provided script at each Windows endpoint, Microsoft Defender Exclusions via PowerShell. Our exclusion methods have been tested and found to work successfully (until Windows is updated or there is another system change).
Or, completely disable Windows Defender.
If Microsoft is still detecting the agent after setting exclusions:
- In your Group Policy, enable "Turn off Microsoft Defender Antivirus":
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection. - Turn off Real-Time Protection. (If turned off locally, this setting turns on automatically whenever the computer restarts.)
- Turn off Tamper Protection. (This setting stays off if turned off locally.)
Updated: 02/9/2024