This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X not being recognized as primary AV - Win Defender not in passive mode.

In Server 2022, it looks like Windows Defender is not recognising that Sophos Endpoint is installed.

AMRunningMode should be reporting SxS Passive Mode

I've checked this on multiple servers and all report the same.

Sophos is fully up-to-date, all Windows patches have been run in, and a reboot of the server performed.

learn.microsoft.com/.../microsoft-defender-antivirus-windows



This thread was automatically locked due to age.
Parents
  • Further to this, uninstalling Defender is not possible as SQL Server pretty much grinds to a halt without Defender installed for some bizarre reason that's not obvious to me.

    Not sure why Defender doesn't acknowledge the existence of Sophos - perhaps Sophos doesn't comply with Microsoft standards. I've installed another couple of AV products and they are all recongised just fine.

  • You should try disabling, rather than uninstalling, Defender. As Microsoft says in its documentation: 

    Windows Server and passive mode

    On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you're using a non-Microsoft antivirus product on an endpoint that isn't onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.

    You can disable Defender locally on the server via the GUI, or via a Group Policy.

Reply
  • You should try disabling, rather than uninstalling, Defender. As Microsoft says in its documentation: 

    Windows Server and passive mode

    On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you're using a non-Microsoft antivirus product on an endpoint that isn't onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.

    You can disable Defender locally on the server via the GUI, or via a Group Policy.

Children