VirTool:Win32/DefenderTamperingRestore is triggering / recurring almost everyday on alot of devices

Jens Loncke 15 Reputation points
2023-07-07T12:58:08.47+00:00

Hello,

We've recently moved from our main AV that we used for years to microsoft defender. So we've uninstalled our main AV on all of our devices, and we pushed / enabled microsoft defender via our RMM platform and on 80% of our devices everything runs / is fine.

BUT, on 20% of our devices we are getting a lot of alerts regarding : "AV: Defender VirTool:Win32/DefenderTamperingRestore" this alert has to do with a reg key : hklm\software\policies\microsoft\windows defender\\DisableAntiSpyware , in the alert (see picture) it's not clear to see what is causing this alert, so it's driving us crazy, because it's triggering almost daily.

Alert

After a lot of research this alert is not that dangerous it's indicating that microsoft defender did a self-heal and rested itself. But we are getting tons of these alerts, with no clue where it's coming from or what the cause is.

Anybody here that had/has the same issue? Or knows a solution

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.