Managed Microsoft Defender Antivirus (Beta)

This article will be receiving updates throughout the Beta processes. Please refer back to this doc for the latest information. If you have a question/suggestion that isn't answered in this article, feel free to contact support here: Contact Us Contact Us (or email us at support@huntress.io).

The Managed Microsoft Defender Antivirus feature utilizes the Microsoft Defender Antivirus (Non-ATP Microsft Defender) that is built into Windows 10 (and Server 2016+) and does not require additional licensing. Microsoft Defender is consistently ranked as a top product for protection, performance, and security by AV-Test. Additionally, cybersecurity experts like Tavis Ormandy (Google Project Zero), Robert O'Callahan (Ex-Mozilla Engineer), Justin Schuh (Google Chrome Team, Former NSA/CIA), and a poll of 3,500+ individuals continue to highlight how the Non-ATP Defender produces solid results while introducing very little additional attack surface, unlike many 3rd party antivirus products.

Huntress will not charge extra for Managed Antivirus.

In this article

Managed Microsoft Defender Antivirus Beta is still in its early development stages. Currently, Huntress runs in "audit mode" meaning that we are not making any configuration changes to endpoints. There is currently no risk of enabling Managed Defender as we are not making any changes. However, if you are enabling Microsoft Defender for the first time, please keep in mind that we cannot set/maintain an exclusions list. If you have an issue, please email Support at support@huntress.io.

Since this is beta we are constantly fixing bugs. We are tracking bug reports but cannot respond to all of them. Please see the FAQ section at the bottom to see if your issue is listed before contacting Support.

Supported Operating Systems

Managed Microsoft Defender Antivirus only officially Supports Windows 8.1 and up (all versions of 10). 

Supported Server OSes include Windows Server 2016 and Server 2019.

Interface

You can view the Managed AV interface by pressing the AV icon on the left side of your dashboard.

  • Enabled - All systems go, everything is working properly
  • Disabled - Microsoft Defender is disabled, this is usually because another AV was installed and Microsoft Defender disabled itself.  
  • Unsupported Operating System - The device has an OS that's not supported by Microsoft Defender (such as Windows 7 and Server 2008)
  • Unknown - The host either doesn't have an Agent compatible with Managed Defender (0.11.53+)  or the Agent has not sent in a survey for the first time. 

Drilling down into an individual Agent jumps you straight into the "Antivirus" tab for the Agent.

Creating exclusions

You'll want to click the "gear" icon under the Microsoft Defender box and you will be presented with a place to create exclusions:

  • Path exclusions - type out the path you want to exclude (ie. C:\ProgramName\Databasefolder) 
  • Extension exclusions - type the extension name of extensions you'd like to exclude from scanning (ie. .txt, .docx, etc. <-- don't exclude these)
  • Process exclusions - type the full path of programs you'd like to exclude (ie. C:\tester.exe)

For more information on Path/Extension exclusions, please see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus

Want to join our Beta program? Fill out the form below so we can keep you informed.

You will receive an automated email if your Account is approved for the Beta program.

Have a request or a suggestion not Managed AV related?

Visit our Feature Requests / Suggestions Page.

If you need support please contact Support here: Contact Us Contact Us (or email us at support@huntress.io).

FAQ

I uninstalled my existing AV and enabled Defender but it isn't showing in the Huntress Dashboard. We have identified a bug in our code that's causing data to not update properly once a 3rd-party AV is uninstalled and Microsoft Defender is enabled. We are working on this and will update the information here once it's fixed.

Can I force run a scan? Currently, we do not have the ability for you to manually run a scan from the Huntress Dashboard, this would need to be done directly from the PC. This functionality is coming!

The Dashboard shows that Managed Defender is disabled, is something wrong? Managed AV is still in the early stages of development we are aware of some issues that are causing the UI to not be 100% accurate sometimes.

Where do the "Signature" versions come from? You can view the full version number of Microsoft Defenders' definitions by using Windows Event Viewer and looking for EventID 1151 under at Applications and Services>Microsoft>Windows>Windows Defender>Operational. EventID 1151 is Defender's hourly check and gives the log-winded version of everything.

Can I force an update? How do I know if my Microsoft Defender is up-to-date? These are done through Windows Update and Defender checks for updates every hour, so if your machine is up-to-date, then Microsoft Defender is. Microsoft Defender also checks for updates every hour. 

Will this work with 3rd party AVs? Microsoft Defender disables itself when another AV is installed to prevent conflicts. There are some functions of Microsoft Defender that you can re-enable, but it won't be fully functional. All 3rd party AVs need to uninstalled for Microsoft Defender to be fully functional. 

How can I set scan schedules? Currently, this is not something you can do from the Huntress Dashboard. Scan schedules need to be set on the Endpoint itself. 

Features Coming in the Future

  • The ability to kick off a scan from the Huntress Dashboard (coming very soon!) 
  • The ability to create/set inheritable policies at the Account, Organization, and Host levels.
  • The ability to configure advanced features such as Attack Surface Reduction
  • Easily be able to track protection and Defender patch status from a dashboard

Still need help? Contact Us Contact Us