Share via

Can Defender AV integrated with different EDR solution?

HenPorcilan 1 Reputation point
2022-09-09T01:09:40.39+00:00

I am using EDR which monitors only the behavior - without the AV periodic full scan capabilities.
Read that the defender does support such a thing (which exactly my need)-

“If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the Virus & threat protection section to show status about the AV product, and provide a link to the product's configuration options.
Underneath any third-party AV products, a new link will appear as Microsoft Defender Antivirus options. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning.
Sliding the switch to On will show the standard Microsoft Defender Antivirus options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.”

I was consulting with Microsoft engineer about that option and his answer was "Microsoft does not recommend using this feature in enterprise environments.".

Can I know what is the risk of using that feature? why is only at enterprise it doesn't recommended?

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2022-09-09T04:28:06.61+00:00

    My understanding is that the "limited periodic scanning" is a basic protection for home users that do not have a full AV service. It is not intended for enterprise use.

    The enterprise model for MDAV is Defender for Endpoint (MDE). With MDE and Intune you can manage MDAV for the enterprise. Including local AV scanning, cloud-based analysis, and active vulnerability assessment. MDAV is also used for several blocking features for disallowed apps, malicious websites, etc. If a 3rd party AV is detected, it places MDAV into a passive mode. While in passive mode, MDAV gets updates, serves as a backup AV if the primary is disabled, and continues to provide a level of cloud-based analysis and vulnerability assessment. It may be possible to run MDE in active mode, side-by-side, with your non-blocking EDR.

  2. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2022-09-09T04:42:34.977+00:00

    Defender for Endpoint requires an Office 365 E3/E5 or equivalent license per user. If you already have E3 or E5 licenses you can begin using MDE. All of the advanced features can be disabled if you prefer. The MDAV configuration is managed by Intune or MEM.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2
    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deployment-phases

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.