Skip to main content

Managed Antivirus 'Antivirus Products' Setting

Annie Ballew
  • Updated

TEAM: Huntress Managed Endpoint Detection and Response (EDR)
PRODUCT: Managed Defender
ENVIRONMENT: Windows

The Managed Antivirus Endpoint Overview page shows antivirus products that are discovered on the endpoint. Huntress uses two pieces of information to detect antivirus on the endpoint:

  • Microsoft Defender Security Center antivirus registration
  • Discovery of running services on the endpoint 

Huntress_Management_Console.png

Security Center Status

Huntress queries Microsoft Defender Security Center on the endpoint to identify if there is an AV solution that has registered to the endpoint. 

By default, Microsoft Defender Antivirus is enabled for all Windows endpoints that support Microsoft Defender Antivirus. In most cases, when an additional AV product is installed on the endpoint, Microsoft Defender goes into a Disabled mode. Having the the Security Center Status is very helpful to identify if another AV is a reason for why Microsoft Defender has been disabled.  

 

NOTE: Security Center Status is not relevant to Windows Server operating systems

 

The Security Center Status will indicate what other AV products have registered to Security Center along with their current state:  

  • Enabled: The antivirus product is currently registered and acting as the antivirus solution on the endpoint. 
  • Disabled: The antivirus product is registered but is not acting as the antivirus solution on the endpoint. 
  • Missing: The antivirus product is registered and enabled, however Huntress cannot validate the files for the AV solution on the endpoint.    

For more information on Microsoft Defender compatibility with other AV products:   

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide 

 

Service Status

In addition to the Security Center Status, Huntress detects antivirus products that exist on the endpoint to see if they are running. This is used to validate what is discovered on the endpoint in addition to identifying the state of the antivirus product. 

This status will indicate if the identified antivirus is: 

  • Running: The service associated with the detected AV is found and running.
  • Stopped: The service associated with the detected AV is found but stopped.
  • Not Found: There is no associated service found with the detected AV.

This is particularly helpful in cases where Security Center does not exist or cannot be queried on the endpoint, such as with Windows Server operating systems. In addition, it provides an additional set of information to validate what is being returned by Security Center.  

 

Related articles