Views:
Microsoft Defender Antivirus is automatically installed on Microsoft Windows Server 2016 and later, as well as Windows 10 and later. The Deep Security Anti-Malware (AM) module can support the passive mode of Microsoft Defender Antivirus. However, this support requires specific versions of both Microsoft Defender Antivirus and Windows Server and desktop, as well as of Deep Security Agent:
  • Microsoft Defender Antivirus product and engine versions:
    • AMProductVersion: 4.18.2202.4
    • AMEngineVersion: 1.1.18900.3
    Currently, these are the only versions that Trend Micro has tested and officially supports. Other versions have not been tested and therefore Trend Micro cannot guarantee compatibility.
  • Windows Server and desktop versions:
    • Windows Server 2016 or later.
    • Windows 10 x64 RS5 or later.
    Windows 10 x86 and Windows 10 Enterprise Virtual Desktop are not supported.
  • Deep Security Agent:
    • Deep Security Agent 20.0.0-4416 (20 LTS Update 2022-04-28) or later.
When you install Deep Security with Anti-Malware enabled on a Windows 10 or 11 desktop, Microsoft Defender Antivirus is automatically set to passive mode. On a Windows Server, you need to re-enable the Anti-Malware policy to let Microsoft Defender Antivirus enter passive mode.
The following table summarizes these events.
Platform
Action
Description
Windows 10 and 11 Desktop
Deep Security with Anti-Malware enabled
Windows automatically sets Microsoft Defender Antivirus to passive mode after Deep Security Agent Anti-Malware is enabled.
Windows Server 2016 and later
Re-enable Anti-Malware policy
Deep Security Agent automatically configures Microsoft Defender Antivirus to passive mode.
If you disable Deep Security Anti-Malware either by deactivating or uninstalling it, both the DisableAntiSpyware and ForceDefenderPassiveMode registry are removed in Microsoft Defender Antivirus:
  • The DisableAntiSpyware registry key specifies whether or not to disable Microsoft Defender Antivirus. By removing it, you remove the disable key, therefore enabling Microsoft Defender Antivirus. You may have to enable Microsoft Defender Antivirus manually to ensure it is in active mode.
  • The ForceDefenderPassiveMode registry key sets Microsoft Defender Antivirus to passive mode. By removing the key, Microsoft Defender Antivirus is set to active mode.
When you enable Deep Security Anti-Malware on a Windows Server, the Windows Security virus and threat protection service may display the "No active antivirus provider. Your device is vulnerable" message. Trend Micro tested this case and confirmed that such message appears when Microsoft Defender Antivirus is disabled. This is a Windows Server behavior (as opposed to Deep Security).
There is a confirmed performance impact when both Microsoft Defender Antivirus and Deep Security Agent Anti-Malware are enabled, therefore it is recommended to have Microsoft Defender Antivirus in passive mode. The fallback approach is to have exclusion lists when passive mode is not possible, with the understanding that exclusion lists can mitigate but may not completely eliminate the impact on performance.

Microsoft Defender Antivirus application files for exclusion list for Deep Security Agent

If Microsoft Defender Antivirus cannot switch to passive mode, you must add Microsoft Defender Antivirus for Endpoint to the exclusion list for Deep Security Agent to mitigate the impact on performance. For more information, see Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint.
You can find the Microsoft Defender Antivirus executable files in the following locations:
  • %Program Files%\Windows Defender\
  • %ProgramData%\Microsoft\Windows Defender\Platform\4.18.2201.10-0*\
Note that the platform version number might be different in your environment. You may consult Microsoft Security Intelligence for version information and check the latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence.

Deep Security Agent folders and processes for Microsoft Defender Antivirus exclusion list

You need to add Deep Security Agent folders and processes to your Microsoft Defender Antivirus exclusion list.
Folder:
  • C:\Program Files\Trend Micro\AMSP
  • C:\Program Files\Trend Micro\Deep Security Agent
Process:
  • C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
  • C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
  • C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe
  • C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe

Tamper protection

The Tamper protection setting of Microsoft Defender Antivirus must be set to OFF. This recommendation is based on the results of testing that discovered compatibility issues when Tamper protection is enabled.

Microsoft Defender Antivirus EDR Block mode for Endpoint

Do not enable Microsoft Defender Antivirus' EDR Block mode for Endpoint. This recommendation is based on the results of testing that discovered compatibility issues when EDR is enabled.