5

On Windows 10 1909 enterprise, I have a process "Antimalware Service executable", within which the service: "Windows defender antivirus service"; which takes 115BM of memory.

However, in group policy, "Windows defender antivirus" I have "Turn off Windows defender antivirus" enabled, which help says:

This policy setting turns off Windows Defender Antivirus.

If you enable this policy setting, Windows Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.

As well as "Turn off real-time protection" enabled (but this should not change a thing since the sus-mentionned parameter was turned off).

If I remember well the process was not running in 1809 with this policy. How can I in the end disable the process ? Is this a bug ?

Soleil
  • 344
  • 3
  • 16
  • A decent, name brand anti virus will turn off Windows Defender to allow Defender to co-exist with the third party AV. Otherwise Windows Defender should be allowed to run. – John Dec 26 '19 at 13:48
  • 1
    @John I'm not looking for a workaround. Group policy is used to and is supposed to work (switch off AV). – Soleil Dec 26 '19 at 18:34
  • Windows Defender will keep itself ON unless another AV takes its place. That is what we see here on our machines. – John Dec 26 '19 at 18:37
  • @John Your statement contradicts Windows' group policy help and my previous observations. Do you have any reference to your claim ? – Soleil Dec 26 '19 at 21:09
  • Try setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1` – HackSlash Dec 26 '19 at 21:41
  • 1
    Does this answer your question? [Disable Windows Defender in Windows 10](https://superuser.com/questions/947873/disable-windows-defender-in-windows-10) – HackSlash Dec 26 '19 at 21:49
  • 1
    The "DisableAntiSpyware" key is part of one of the solutions, but if I add it, it is removed by Windows (the dword is deleted), and the AV is still running. – Soleil Dec 26 '19 at 23:20
  • @Soleil-MathieuPrévot: it seems to depend whether your run on real hardware or a VM. Apparently MS will let you turn off the AV on a VM but not on bare metal even in 1**8**09 with recent iterations of their AV https://superuser.com/questions/1575029/windows-defender-re-enables-itself-by-deleting-disableantispyware-key-on-real-ha All of this poorly documented as it's usual for MS. https://youtu.be/qbKGw8MQ0i8?t=1610 – Fizz Aug 04 '20 at 19:58

2 Answers2

2

The correct action is to disable the Tamper protection in Windows security/virus&threat protection settings. Even without the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1 the group policy Turn off Windows defender antivirus to enabled will have effect.

Registry keys should be used as last option.

Soleil
  • 344
  • 3
  • 16
  • Yeah MS documents that. But that doesn't seem always work. https://superuser.com/questions/1575029/windows-defender-re-enables-itself-by-deleting-disableantispyware-key-on-real-ha – Fizz Aug 04 '20 at 20:04
1

Another method. Go to Settings, Security, Virus & threat protection, Manage settings, Tamper protection. Set to Off. Then add this:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
Zombo
  • 1
  • 24
  • 120
  • 163