What actually throws a "Real Time Detection Disabled" high alert?

Sometimes in the morning when I come in to the office I notice I have "Real Time Detection Disabled" alerts.  The thing that bothers me is that the users and machines this is happening to/on do not have the rights to disable the protection service.  By the time I actually get to checking out the machines, the services are usually back up and running. 


Anyone have any words of wisdom here?