Windows Defender: Disable real time; keep scheduled and on demand scanning

8

3

I just upgraded to Win 10 (RTM build). I have disabled the built in AV's (Defender) real time protection because I do not run it, never did and have never gotten a virus (and I've had a computer for 30 years).

I was able to disable real time scans by turning on the Group Policy's Disable Defender Policy. But this disables the application entirely. Is it possible to use this profile (which I used with Win 7's Security Essentials) with Win10 Defender:

  • Real time scan off
  • Scheduled scans (2AM) active
  • On demand (shell integration right click) scans active

?

Or do I have to install a 3rd party scanner? I already run MBAM Premium, MBAE and EMET (those are protecting in real time, as their impact on performance is minimum), but I would really like to avoid a 3rd party AV.

TIA

Gaia

Posted 2015-07-19T16:23:35.053

Reputation: 4 549

I am exactly in your situation. It is a shame there is no advanced option to achieve this simple scenario. – Erwin – 2015-08-15T09:41:08.520

I disabled Windows Defender entirely via group policy (though this might be unnecessary once you install a 2nd AV) then installed Bitdefender Free for scheduled and on demand scans. Additionally, you can scan exe's on-demand using more than a dozen engines (cloud scanned) simultaneously using Secure-A-Plus. – Gaia – 2015-08-15T13:10:24.087

@Erwin Check my answer if you're still interested on this. – Marc.2377 – 2016-06-18T20:09:19.413

Answers

6

The "Turn off real-time protection" Group Policy setting, located under Computer Configuration\Administrative Templates\Windows Components\Windows Defender should do what you want.

In my system, however, the Antimalware Service Executable keeps spawning (and instantly closes) every 10 seconds or so when this policy is enabled. Very annoying, but still nothing compared to the more general system slow-down caused by scanning every file on your drive over and over again.

Keep an eye out for this related question of mine: How to disable signature-based detection without turning off other protections in Windows Defender. Something of interest might come out.


[Update] Using the above method will result in a log file growing constantly, located in C:\ProgramData\Microsoft\Windows Defender\Support, called MPLog-<datetime>.log.
There's a way to prevent this from happening. Just set the following policies to Disabled, instead of the one I first mentioned i.e. leave that untouched:

  • Monitor file and program activity on your computer
  • Scan all downloaded files and attachments
  • Turn on behavior monitoring
  • Turn on network protection against exploits of known vulnerabilities *
  • Turn on raw volume write notifications *
  • Turn on Information Protection Control *

I'd advise against disabling the last 3 items (marked with an *), however. Their impact on performance is also minimum.

These policy settings can be found in the same location as the first one: Computer Configuration\Administrative Templates\Windows Components\Windows Defender.
Note: Some versions of Windows use the term "Endpoint Protection" instead of "Windows Defender".


If your edition of Windows does not come with the Group Policy Editor, setting some registry entries will do the trick. They are all located under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection (create this key if it does not exist). Create the following DWORD (32-bit) entries and set them to 1:

  • DisableOnAccessProtection
  • DisableIOAVProtection
  • DisableBehaviorMonitoring
  • DisableIntrusionPreventionSystem *
  • DisableRawWriteNotification *
  • DisableInformationProtectionControl *

Again I recommend against disabling the last 3 items. Leave them as 0, or better yet, do not create entries for them.

A system restart is required after making these changes.

Just for completeness, the Registry entry for the "Turn off real-time protection" policy is called DisableRealtimeMonitoring.


[Update 2] An addendum: Malwarebytes Anti-Exploit (MBAE) is generally incompatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET). It even says so when installing it on an EMET-protected system. To see for yourself, download mbae-test.exe from here, add it to the list of EMET-protected apps, and try loading it with MBAE enabled.
(However, if you only use EMET to enforce system-wide rules - i.e. DEP and SEHOP - that's fine. It's only when launching an application protected by both solutions that you should expect trouble.)

Marc.2377

Posted 2015-07-19T16:23:35.053

Reputation: 1 072

The log file is in "C:\ProgramData\Microsoft\Microsoft Antimalware\Support" on Win 10 Pro – Gaia – 2016-06-27T17:12:12.777

Win 10 Pro English, up to date as of today (I am not on the fast channel update or whatever that is called) – Gaia – 2016-06-27T23:22:51.617

@Gaia Interesting. That's the same as my setup. Good to know in any case. – Marc.2377 – 2016-06-28T04:43:27.653

If your group policy is not working in Windows 10 Pro or Enterprise, see: Cannot disable group policy inheritance from domain (Serverfault)

– Marc.2377 – 2019-01-21T19:28:53.787

(Reposted) C:\Users\All Users is just a link to C:\ProgramData, according to this answer. Still, in my system, the folder is called 'Windows Defender' instead of 'Microsoft Antimalware'.

– Marc.2377 – 2019-05-28T03:59:21.683

-1

Starting with the May 2019 Update (version 1903), Windows 10 is introducing Tamper Protection, which is a new feature designed to protect the Windows Security app against unauthorized changes that are not made directly through the experience.

Although this is a welcome addition that adds an extra layer of protection on Windows 10, it can cause some problems when you need to manage security settings through another app or command line tools, such as PowerShell or Command Prompt.

This includes making changes through Group Policy!

Change the Tamper Protection setting

In the search box on the taskbar, type Windows Security and then selct Windows Security in the list of results. In Windows Security, select Virus & threat protection and then under Virus & threat protection settings, select Manage settings. Change the Tamper Protection setting to On or Off.

Then launch Group policy editor and disable abovementioned three services (although I think that scanning downloads is useful and does not impact performance) AND a new setting called Turn on process scanning whenever real-time protection is enabled. Run gpupdate /force from CMD, no need to reboot.

Run Regedit and check if these lines are added into [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]

"DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 "DisableIOAVProtection" =dword:00000001

If you do not have acess to GPeditor, create a .reg script containing

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001

Enjoy your much faster system. Also I recommend using VThash check utility for much more comprehensive scanning.

kopija

Posted 2015-07-19T16:23:35.053

Reputation: 1