Update 2/8/22: We're actively investigating some problems introduced in Windows Defender Antimalware version 4.18.2201+ where Managed Antivirus is not working as expected.
The Managed Antivirus Host Overview page shows antivirus products that are discovered on the host. Huntress uses two pieces of information to detect antivirus on the host:
- Microsoft Defender Security Center antivirus registration
- Discovery of running services on the host
Security Center Status
Huntress queries Microsoft Defender Security Center on the host to identify if there is an AV solution that has registered to the host.
By default, Microsoft Defender Antivirus is enabled for all Windows machines that support Microsoft Defender Antivirus. In most cases, when an additional AV product is installed on the machine, Defender goes into a Disabled mode. Having the the Security Center Status is very helpful to identify if another AV is a reason for why Defender has been disabled.
NOTE: Security Center Status is not relevant to Windows Server operating systems
The Security Center Status will indicate what other AV products have registered to Security Center along with their current state:
- Enabled: The antivirus product is currently registered and acting as the antivirus solution on the host
- Disabled: The antivirus product is registered but is not acting as the antivirus solution on the host
- Missing: The antivirus product is registered and enabled, however Huntress cannot validate the files for the AV solution on the machine.
For more information on Microsoft Defender compatibility with other AV products:
In addition to the Security Center Status, Huntress detects antivirus products that exist on the endpoint to see if they are running. This is used to validate what is discovered on the machine in addition to identifying the state of the antivirus product.
This status will indicate if the identified antivirus is:
- Running: The service associated with the detected AV is found and running
- Stopped: The service associated with the detected AV is found but stopped
- Not Found: There is no associated service found with the detected AV
This is particularly helpful in cases where Security Center does not exist or cannot be queried on the machine, such as with Windows Server operating systems. In addition, it provides an additional set of information to validate what is being returned by Security Center.