This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X not being recognized as primary AV - Win Defender not in passive mode.

In Server 2022, it looks like Windows Defender is not recognising that Sophos Endpoint is installed.

AMRunningMode should be reporting SxS Passive Mode

I've checked this on multiple servers and all report the same.

Sophos is fully up-to-date, all Windows patches have been run in, and a reboot of the server performed.

learn.microsoft.com/.../microsoft-defender-antivirus-windows



This thread was automatically locked due to age.
  • Further to this, uninstalling Defender is not possible as SQL Server pretty much grinds to a halt without Defender installed for some bizarre reason that's not obvious to me.

    Not sure why Defender doesn't acknowledge the existence of Sophos - perhaps Sophos doesn't comply with Microsoft standards. I've installed another couple of AV products and they are all recongised just fine.

  • You should try disabling, rather than uninstalling, Defender. As Microsoft says in its documentation: 

    Windows Server and passive mode

    On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you're using a non-Microsoft antivirus product on an endpoint that isn't onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.

    You can disable Defender locally on the server via the GUI, or via a Group Policy.

  • I shouldn't need to do anything, that's my point. I've downloaded other antivirus products, installed them to test and Defender detects them, disables itself and that AV product is listed in managed providers. However it seems that Defender doesn't even acknowledge the existence of Sophos Endpoint, so Sophos clearly isn't complying to standards.

    As Microsoft also says in its documentation:

  • The same article explicitly states that this isn't the case for Server 2022.

  • I've downloaded other antivirus products, installed them to test and Defender detects them, disables itself and that AV product is listed in managed providers. However it seems that Defender doesn't even acknowledge the existence of Sophos Endpoint, so Sophos clearly isn't complying to standards.

  • There is no Security Center service to report to on servers.  On endpoints, SEDService.exe communicates with the Security Center service to notify it that there is a new provider in town,

  • I've downloaded other antivirus products, installed them to test and Defender detects them, disables itself and that AV product is listed in managed providers. However it seems that Defender doesn't even acknowledge the existence of Sophos Endpoint, so Sophos clearly isn't complying to standards.

  • For a server platform? This is the case on computers running the Security Center service but it doesn’t exist on server platforms.