Coexistence of Deep Security Agent with Microsoft Defender Antivirus
Microsoft Defender Antivirus is automatically installed on Microsoft Windows Server 2016 and later, as well as Windows 10 and later. Deep Security Agent (DSA) can coexist with Microsoft Defender Antivirus in its passive mode, for all operating system levels protected by Trend Micro Deep Security. The following are compatible versions of Microsoft Defender Antivirus, Windows Server and desktop, as well as of DSA:
- Microsoft Defender Antivirus product and engine versions:
- AMProductVersion: 4.18.2202.4
- AMEngineVersion: 1.1.18900.3
Currently, these are the only versions that Trend Micro has tested and officially supports. Other versions have not been tested and therefore Trend Micro cannot guarantee compatibility. - Windows Server and desktop versions:
- Windows Server 2016 or later
- Windows 10 x64 RS5 or later
Windows 10 x86 and Windows 10 Enterprise Virtual Desktop are not supported. - Deep Security Agent:
- Deep Security Agent 20.0.0-4416 (20 LTS Update 2022-04-28) or later
When you install Deep Security with anti-malware enabled on a Windows 10 or Windows 11 desktop, Microsoft Defender Antivirus is automatically set to passive mode. For Windows Server, you need to re-enable the Anti-Malware policy so Microsoft Defender Antivirus enters passive mode.
Note the following:
- If you disable the DSA anti-malware, either by deactivating or uninstalling it, you remove both the DisableAntiSpyware and ForceDefenderPassiveMode registry in Microsoft Defender Antivirus:
- The DisableAntiSpyware registry key specifies whether or not to disable Microsoft Defender Antivirus. By removing DisableAntiSpyware, you remove the disable key and enable Microsoft Defender Antivirus. You may have to manually enable Microsoft Defender Antivirus to ensure it is in active mode.
- The ForceDefenderPassiveMode registry key sets Microsoft Defender Antivirus to passive mode. By removing the key, Microsoft Defender Antivirus is set to active mode.
- When you enable Deep Security Agent anti-malware on a Windows Server, the Windows Security virus and threat protection service may display a message "No active antivirus provider. Your device is vulnerable". Trend Micro tested this case and confirmed that such message appears when Microsoft Defender Antivirus is disabled. This is a Windows Server behavior (as opposed to Deep Security).
- There is a confirmed performance impact when both Microsoft Defender Antivirus and Deep Security Agent Anti-Malware are enabled.
Microsoft Defender Antivirus application files for exclusion list for DSA
If Microsoft Defender Antivirus cannot switch to passive mode, you must add Microsoft Defender Antivirus for Endpoint to the exclusion list for DSA. For more information, see Make the switch from non-Microsoft endpoint protection to Microsoft Defender Antivirus for Endpoint.
The following are locations of Microsoft Defender Antivirus executable files:
- %Program Files%\Windows Defender\
- %ProgramData%\Microsoft\Windows Defender\Platform\4.18.2201.10-0*\
Note that the platform version number might be different in your environment. Refer to Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware for version information and latest security intelligence updates.
DSA folders and processes for Microsoft Defender Antivirus exclusion list
You need to add Deep Security agent folders and processes to your Microsoft Defender Antivirus exclusion list.
Folder:
- C:\Program Files\Trend Micro\AMSP
- C:\Program Files\Trend Micro\Deep Security Agent
Process:
- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
- C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
- C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe
- C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe
Tamper protection
Activating tamper protection of Microsoft Defender Antivirus safeguards against diverting this particular antivirus to passive mode. If multiple antivirus products have been deployed, it would be reasonable to retain only one antimalware component of one antivirus product.
For details on the supported environments, see Microsoft Defender Antivirus compatibility with other security products.
Microsoft Defender Antivirus Endpoint Detection and Response (EDR) in block mode for endpoint
Do not enable Microsoft Defender Antivirus' EDR in block mode for endpoint. This recommendation is based on the results of testing that discovered compatibility issues when EDR in block mode is enabled.