https://community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/127837/sophos-and-windows-defender-on-windows-server-2016Greetings to the well of knowledge... I have been rolling out Intercept X to my virtual servers. I notice than when Sophos is actively scanning, the Windows built-in &quot;Anti-malware Service Executable&quot; is also actively doing something. Together, theyen-USTelligent Community 12https://community.sophos.com/thread/468434?ContentTypeID=1Mon, 17 May 2021 19:54:16 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:ce592ab2-d86d-49b5-b4d4-b10feea9b6ceSophos User930<p>Hi,</p> <p>If you run fltmc.exe from an admin prompt, do you see wdfilter in the list of filter drivers loaded?<br /><br />It is my understanding that when Sophos reports into Security Center, Defender should disable itself, evidence of this is in&nbsp;\windows\temp\MpCmdRun.log.</p> <p>For example, the driver and service is set to manual start.</p> <p>-------------------------------------------------------------------------------------<br />MpCmdRun: Command Line: &quot;C:\Program Files\Windows Defender\MpCmdRun.exe&quot; -DisableService<br /> Start Time: &lrm;Sat &lrm;Apr &lrm;17 &lrm;2021 22:53:50</p> <p>MpEnsureProcessMitigationPolicy: hr = 0x1<br />EnableService(0, 3)<br />Stoping WinDefend and setting to SERVICE_DEMAND_START ...<br />Setting WdBoot to SERVICE_DEMAND_START and remove from early launch group...<br />Stopping WdFilter and setting to SERVICE_DEMAND_START ...<br />EnableService(0, 3) - finished.<br />MpCmdRun: End Time: &lrm;Sat &lrm;Apr &lrm;17 &lrm;2021 22:53:53<br />-------------------------------------------------------------------------------------</p> <p><br /><br /><br /></p><div style="clear:both;"></div>