Issues with MS Defender on Instant Clones

kanid99 · ‎01-19-2023

Here is my issue! On the base image Defender is ON but real-time protection is disabled and tamper protection is disabled. When the pool is imaged with the snapshot from that base though, the clones show "Virus and Threat Protection : status 'Unknown'" until I toggle Tamper Protection back on and then off again. Then it shows everything is fine.

WHAT is causing this to happen and how can I get a consistent result between the base image and the clones ? I confirmed they are having the same GPOs applied so its not an errant GPO changing the settings.

Jubish-Jose · ‎01-19-2023

I may be wrong, but I would expect this because when the clone is made with realtime protection off, the OS doesn't know the status and hence it will be shown s Unknown. Turning it back on gets the status and remains in that even though its turned off after a while.

Any reasons to turn off realtime protection? I would say its as good (or bad) as not enabling Defender.

-- If you find this reply helpful, please consider accepting it as a solution.

kanid99 · ‎01-19-2023

Our current AV provider isnt properly registering with MS Security Center. They say this is by design because they dont provide a 'local AV scanner' and that defender should be used for on-demand and scheduled scans that require signature based scanning. My intention was to put Defender in a state where it could still be used in that scenario but not be doing real-time scanning since the cloud AV is effectively doing that.

I should say our current and soon to be former AV. But until it is former I have to deal with mitigating the performance impact of the 3rd party AV not disabling defender and the two often fighting with each other - NOT ideal for my end users!

All

Issues with MS Defender on Instant Clones