Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 1655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Windows Defender on Windows Server 2016

TILL Incorporated

Greetings to the well of knowledge...

I have been rolling out Intercept X to my virtual servers.  I notice than when Sophos is actively scanning, the Windows built-in "Anti-malware Service Executable" is also actively doing something.  Together, they are spiking my CPU, 90-100%.  Can I do anything to mitigate this as it is preventing my users from accessing an SQL Server instance (timing out).

Thanks,

Ken



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    If you run fltmc.exe from an admin prompt, do you see wdfilter in the list of filter drivers loaded?

    It is my understanding that when Sophos reports into Security Center, Defender should disable itself, evidence of this is in \windows\temp\MpCmdRun.log.

    For example, the driver and service is set to manual start.

    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -DisableService
    Start Time: ‎Sat ‎Apr ‎17 ‎2021 22:53:50

    MpEnsureProcessMitigationPolicy: hr = 0x1
    EnableService(0, 3)
    Stoping WinDefend and setting to SERVICE_DEMAND_START ...
    Setting WdBoot to SERVICE_DEMAND_START and remove from early launch group...
    Stopping WdFilter and setting to SERVICE_DEMAND_START ...
    EnableService(0, 3) - finished.
    MpCmdRun: End Time: ‎Sat ‎Apr ‎17 ‎2021 22:53:53
    -------------------------------------------------------------------------------------




Reply
  • 0

    Hi,

    If you run fltmc.exe from an admin prompt, do you see wdfilter in the list of filter drivers loaded?

    It is my understanding that when Sophos reports into Security Center, Defender should disable itself, evidence of this is in \windows\temp\MpCmdRun.log.

    For example, the driver and service is set to manual start.

    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -DisableService
    Start Time: ‎Sat ‎Apr ‎17 ‎2021 22:53:50

    MpEnsureProcessMitigationPolicy: hr = 0x1
    EnableService(0, 3)
    Stoping WinDefend and setting to SERVICE_DEMAND_START ...
    Setting WdBoot to SERVICE_DEMAND_START and remove from early launch group...
    Stopping WdFilter and setting to SERVICE_DEMAND_START ...
    EnableService(0, 3) - finished.
    MpCmdRun: End Time: ‎Sat ‎Apr ‎17 ‎2021 22:53:53
    -------------------------------------------------------------------------------------




Children
No Data
Unfiltered HTML