MS Defender still enabled when 3rd-party security software is installed

Topic

New Reply

Hi everyone,

I’m having the exact same problem as this guy: https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-continues-to-run-in-background/77fe32ad-9734-40f8-9397-7654ccfa0217

Well, “nearly identical” is more accurate. In my case, I can generally reduce RAM consumption to a tolerable/acceptable level by disabling Microsoft Defender’s “Periodic Scanning” feature in the Windows Security section:

However, that doesn’t always work, and sometimes the Antimalware Service Executable starts chewing through memory again. I’ve played with Group Policy, but it doesn’t appear to have any real effect. Ultimately, rebooting the computer 1 or more times seems to eventually force Defender to release RAM effectively (enough) after startup.

That said, I would rather force the Antimalware Service Executable service to stop running altogether, but there just doesn’t seem to be a viable means to do this. (I’m also not sure what the difference between the Antimalware Service Executable service and Defender actually is. They both appear to be spawned from the same .exe file/service, i.e., C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\MsMpEng.exe.)

So, in lieu of some kind of masterfully crafted workaround that probably won’t work anyway (as per the Microsoft forum post above), is there a solution here that doesn’t require me to “split the atom” in the process? Maybe the issue is resolved in Windows 11, version 23H2?

Thanks!

1 user thanked author for this post.

windbg

Reply | Quote

Replies

Correct.

Defender runs in “passive” mode when 3rd party security software is the “active” AV/AM.

By design.

 

 

 

1 user thanked author for this post.

randallj2877

Reply | Quote

How much RAM does Defender consume?
Is it Norton mucking up Defender?
Any hints on the Norton forum?

cheers, Paul

1 user thanked author for this post.

randallj2877

Reply | Quote

Paul T wrote:

How much RAM does Defender consume?
Is it Norton mucking up Defender?
Any hints on the Norton forum?

cheers, Paul

Between 100-200 MB, at its worst.
I contacted Norton, and they told me that this was a Microsoft problem.
Thanks!

 

 

Reply | Quote

randallj2877 wrote:

I’ve played with Group Policy, but it doesn’t appear to have any real effect.

Is Tamper Protection on?

If you can’t change the Microsoft Defender Antivirus settings through Group Policy, Command Prompt, or PowerShell, it’s because Tamper Protection is enabled – here’s how to fix this issue.

How to disable Tamper Protection on Windows 11

2 users thanked author for this post.

windbg, randallj2877

Reply | Quote

b wrote:

randallj2877 wrote:

I’ve played with Group Policy, but it doesn’t appear to have any real effect.

Is Tamper Protection on?

If you can’t change the Microsoft Defender Antivirus settings through Group Policy, Command Prompt, or PowerShell, it’s because Tamper Protection is enabled – here’s how to fix this issue.

How to disable Tamper Protection on Windows 11

I am aware of Tamper Protection, and I did temporarily turn it off to disable this Group Policy:

“Allow antimalware service to start up with normal priority”

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus?view=o365-worldwide

But it did not seem to have any effect on MsMpEng.exe priority (in Task Manager, in Details View). (FYI – I’ve been made aware that priority is more a function of CPU than RAM, but it still gave me an adequate vehicle to test a Group Policy setting on Defender.) That said, maybe I should have tried a reboot as well for that specific Group Policy to take effect.

I did not try setting any other Group Policies. (Although I may experiment with changing other, related group policies later.)  I’ve since switched Tamper Protection back on and then disabled Microsoft Defender’s “Periodic Scanning” feature in Windows Security.

My understanding is that I’d have to keep Tamper Protection off permanently if I wanted any Group Policy to potentially influence Defender (assuming any Group Policy could actually be effective in this scenario). Is that right?

Also, the only way to turn Tamper Protection on/off is to enable Microsoft Defender’s “Periodic Scanning” feature in Windows Security, which just makes the RAM problem worse. A thought: Maybe I could keep “Periodic Scanning” enabled, disable Tamper Protection, and then configure some setting (Group Policy or Scheduled Task?) that controls how often “Periodic Scanning” runs?

In general, I get the impression that Defender was never meant to be completely disabled, and doing so might cause more harm than good.

So, I’d settle for minimizing Defender’s RAM consumption as much as possible, at this point. But I don’t even see a reasonable way to do that (other than disabling Microsoft Defender’s “Periodic Scanning” feature in Windows Security).

Reply | Quote

Had a somewhat similar problem. I noticed several instances of MsMpEng.exe causing excessive hard disk activity on my hdd (as seen in task manager). Sorry, I did not notice or look at the memory usage. Windows Defender has 4 scheduled tasks that may account for periodic excessive activity. This activity happened at the most inopportune moment for me yesterday. I have been using the following settings on several other PCs, but neglected to set it on the one in usage yesterday.
I went into scheduled tasks and made the following changes.
Scheduled Tasks/TaskSchedulerLibrary/Microsoft/Windows/Windows Defender. For each of the 4 Defender scheduled tasks, I set the following on the Condition Tab. Select or check “Start the task only if the computer is idle for:” (default time settings are ok) and make sure “Stop if the computer ceases to be idle” is checked.
I got this idea from the Cybercpu Tech video entitled
“How To Configure Windows 10 For Gaming”
The Defender scheduled task discussion starts at a little over 4 minutes.
https://www.youtube.com/watch?v=3km3JHJ7KaE
So essentially you are only changing the tasks to run if device is idle.

3 users thanked author for this post.

windbg, randallj2877, NaNoNyMouse

Reply | Quote

This idea looks promising, and, as soon as I have more time, I will try it.

At the very least, this strategy could reduce the frequency of the issue.

I’ll report back here with my results at a later time. Thanks!

Reply | Quote

I watched the relevant part of the YouTube video, and I see there are 4 Defender-related scheduled tasks on his Window 10 system. While I didn’t watch the whole video, I think he is using only Windows Defender for security (without some additional 3rd-party security software)?

Conversely, on my Windows 11 system, with Norton installed, I don’t see any scheduled tasks in the Task Scheduler:

So, I assume Norton is at least disabling Defender’s scheduled tasks. And, if these tasks aren’t running on my system, then I wonder what Defender is actually doing other than providing a backup/failsafe mechanism for Norton. And, could such a backup/failsafe mechanism alone account for my fluctuations in RAM/resource consumption?

 

 

1 user thanked author for this post.

Sueska

Reply | Quote

Thanks for replying back. Sorry was not helpful. Yes, from watching other videos, he only runs Defender.

1 user thanked author for this post.

randallj2877

Reply | Quote

200MB of RAM use is hardly worth fretting over.

cheers, Paul

Reply | Quote

Speak for yourself. I’ve got 16 GB of RAM, and 200 MB of RAM consumption easily increases total RAM consumption by 10-15%.  Sure, I could buy more RAM, and maybe I will, but why should I have to? In general, throwing more hardware at a software problem is not my idea of an ideal solution.

Reply | Quote

200MB = 0.2GB. Definitely not 10-15% of 16GB

2 users thanked author for this post.

randallj2877, satrow

Reply | Quote

I don’t know what to tell you, and I’m not looking for a debate. If I could explain it, I probably wouldn’t be here. I’m just reporting what I’m seeing. Maybe Defender is simultaneously loading other, less conspicuous processes as well. The bottom line is the difference between what I’m seeing 1) when Antimalware Service Executable (and other things???) is burning through resources and 2) when it isn’t.

Reply | Quote

randallj2877 wrote:

200 MB of RAM consumption easily increases total RAM consumption by 10-15%.

So out of 16GB of RAM you are using 2-3GB with 14-13GB not used.
200MB is a drop in a bucket.

Reply | Quote

Technically, you’re not wrong. I can’t explain the disparity. I can only report what I’m experiencing and then try to make sense of it. Thank you for your feedback.

Reply | Quote

Look, I don’t care how much RAM a process is using if I don’t want it running at all. There are lots of junk processes running under bloated Windows these days.

The hardware requirements to run a reasonably performing Windows just keeps getting higher over time. And Microsoft has this attitude to make certain features end-user  uninstallable, for no good customer centric reason.

Note that MsMpEng.exe is nowhere to be found running on my Windows 10 system. And the replacement real-time anti-malware solution runs without incident: no performance issues and no successful malware infections.

Is the problem described here Windows 11 specific?

Looks like another Microsoft bug and/or intended feature test.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

randallj2877

Reply | Quote

windbg wrote:

Look, I don’t care how much RAM a process is using if I don’t want it running at all. There are lots of junk processes running under bloated Windows these days.

The hardware requirements to run a reasonably performing Windows just keeps getting higher over time. And Microsoft has this attitude to make certain features end-user  uninstallable, for no good customer centric reason.

Note that MsMpEng.exe is nowhere to be found running on my Windows 10 system. And the replacement real-time anti-malware solution runs without incident: no performance issues and no successful malware infections.

Is the problem described here Windows 11 specific?

Looks like another Microsoft bug and/or intended feature test.

The issue appears to affect at least Windows 11 version 22H2. I don’t know if it persists in 23H2. And, yes, to my knowledge, you can install Norton (or any other 3rd-party security software) on Windows 10 and never see MsMpEng.exe running. I noticed that as well (along with no Defender-related performance issues). In fact, I assume Defender is completely disabled on Windows 10, but I’ve not 100% verified this.

At this point, I do think that Microsoft has intentionally made it difficult to disable Defender in Windows 11 and has positioned it as some kind of failsafe, backup, or complimentary/supplementary solution to a 3rd-party security software. In that case, Defender and Windows 11 may be inherently and fundamentally linked. So, I’m wary of completely disabling Defender because I’m under the impression that doing so could come with unintended, undesirable side effects.

Thus, I’m inclined to err on the side of caution and find a solution that mitigates Defender’s RAM/resource consumption for now.

Reply | Quote

Please try the detailed instructions which follow here:

Starting from Windows 10 1903 release, you cannot use these GPO options or registry parameters to disable Microsoft Defender, because these settings are shielded by Tamper Protection. The methods previously used to disable Microsoft Defender Antivirus don’t work on Windows 11.

To completely disable Windows Defender Antivirus on Windows 11, you need to boot your computer to Safe Mode.

How to Disable Microsoft Defender Antivirus in Windows 11 Permanently?

2 users thanked author for this post.

randallj2877, satrow

Reply | Quote

I have Windows 10 22H2 and the lightweight Panda 3rd party free AV on old (underpowered by today’s standards) PCs with limited RAM (8GB and 6GB). The last few days the Panda AV has updated its executables and I noticed Windows Defender started up during the Panda update when Panda was obviously not running. (This took me by surprise. I only held my nose and downgraded to W10 a few months ago and I don’t remember W8.1 Defender starting up during a Panda program update on the then W8.1 PCs.)

After a few minutes (I did not time it), Panda was running again and Defender stopped. At the end of my session I ran CCleaner (and/or Wise Disk Cleaner – I forget which) and noticed some temporary Defender update stuff to delete. (As Defender would not have run for many months, it is reasonable that it would need to update itself somehow.)

Given this, WRT your scenario a few thoughts:

Did your problems start when your Norton AV temporarily stopped in order to update its executables?

If you are continually having Defender executables running, does this suggest that Defender does not know that Norton is there and running?

Does this suggest that the Norton update did not complete fully and it did not do what it needs to do to inform Defender that it is running? (If Defender started when Norton stopped to update and like for me, your Defender updated in parallel, you might have had some sort of race condition which left the Norton update incomplete? Just guessing, but it is plausible.)

Might a Norton uninstallation, followed by a wait for a while to allow Defender to run and update its executables fully, then followed by a fresh Norton re-installation complete more successfully (the Defender update and the Norton re-installation running in isolation, separated in time)? This should let Defender know Norton is running, so that Defender itself does not run. (If you try this I would make a full partition image backup beforehand, just in case you end up in a worse state and need to go back to your current state which is sort of working. I have no experience of Norton, but I’ve read that it is a heavy, complicated, sensitive thing.)

HTH. Garbo.

 

1 user thanked author for this post.

randallj2877

Reply | Quote

Did your problems start when your Norton AV temporarily stopped in order to update its executables?

I don’t think that Norton ever fully “stops” protection/security so that it can “update its executables”, but it does seem possible that, for whatever reason, Norton might temporarily exit an “active” state and enter into a “passive” mode. In that case, I believe Defender is designed to spring into action (to fill the void left by Norton), exit its “passive” mode, and enter its own “active” state. So, assuming that this is what’s happening (and, in fact, this is what’s supposed to happen), then it stands to reason (and I would expect) that Defender would subsequently start consuming more resources at that time.

(Note: I’ll need to take a closer look at Defender and Norton processes in Task Manager, in the future, to substantiate a theory in which one is always, generally using significantly more resources than the other.)

That said, in a perfect world, and if both Defender and Norton are calibrated “correctly”, then I’d also expect RAM/resources to be reallocated to Defender from Norton in way that does not result in a significant increase/decrease in total system RAM/resource consumption. But that’s not what I’m seeing. In my case, when (ostensibly) Defender is in an “active” state and Norton is in a “passive” mode, I’m seeing much more total RAM/resources used than if the inverse were true (i.e., when Norton is in an “active” state and Defender is in a “passive” mode).

Assuming all of the above is true, then some ideas/questions to consider:

1. When installed alone, which software generally uses more RAM: Defender or Norton?
2. Maybe Defender generally uses more RAM/resources than Norton to provide comparable security, and thus this behavior is “normal”
   • But, given that Defender is part of the OS, why should it use more RAM/resources than a 3rd-party security software?
3. Maybe Defender is using more RAM/resources in an “active” state than it otherwise would if Norton was not installed (I.e., possible Defender memory leak, in this scenario?)
4. Why does Norton go from an “active” state to a “passive” mode?
   • Is this really triggered by Norton or Defender automatically updating itself?
     • If so, is it possible to disable automatic updates of either or both — and rely on manual updates instead?
   • Does it sense a lower overall security threat at any given time, so it attempts to save resources?
     • Perhaps this is when Norton is updating itself?
   • Is this behavior intended by Norton, or is this actually an indication of a Norton bug (and not necessarily an issue with Defender)?
     • Is there ever any good reason for Norton to enter into a “passive” mode?
5. Is it possible for both Norton and Defender to be in an “active” state, due to some miscommunication between the applications or some other Norton/Defender bug?
6. Anything else??

If you are continually having Defender executables running, does this suggest that Defender does not know that Norton is there and running?

I’ve never noticed multiple instances of Defender, Antimalware Service Executable, or MsMpEng.exe running. So, I assume Defender is aware of Norton and vice versa, unless, of course, there are times when they don’t recognize each other.

Does this suggest that the Norton update did not complete fully and it did not do what it needs to do to inform Defender that it is running?

I’ve not noticed if the issue occurs during or immediately after an incomplete or successful (automatic) Norton update. I would have to monitor Norton updates, and I don’t really know how to do that. Probably via some Norton log file.

I suppose I could similarly monitor when Defender updates, via some Windows log file, to see if the update coincides with the increase in RAM/resource consumption.

In general, and hypothetically, I could write a PowerShell script to monitor 1) automatic updates to both applications and 2) significant changes in RAM/resource consumption of each, and then log all results in a single file with timestamps — to ultimately gain insight into what is happening and when and look for potential correlations.

Finally, short of reinstalling one or both applications, maybe you’re also insinuating that a means to coordinate automatic updates of both products, such that they never update concurrently, could also somehow be of benefit?

Thanks for the ideas!

Reply | Quote

Wrt your 2nd point, when my Panda AV runs (is “active” in your jargon), its service uses ~10MB of RAM and the Defender service (MsMpEng.exe) is not running so uses no RAM, but if I temporarily stop Panda AV (done simply from its UI) and the W10 Defender service starts, it uses ~187MB (figures from Task Manager). So Defender may use more RAM than a 3rd party AV “to provide comparable security”, but I don’t know what Norton would use.

Wrt your point 5, that is basically what I’m suggesting, both Norton and Defender changing their states (somehow) in parallel, so that although Norton is now stable and “active” again, Defender does not “know” this (however it is supposed to know this). This might possibly be as a result of a race condition, possibly when both updated (their executables, not their virus definitions) roughly in parallel, but possibly Norton finishing 1st and saying I’m “active”, then Defender finishing 2nd and saying if I’m running then nothing else must be “active” (clearing flags, Registry keys or whatever which had indicated Norton was “active”) and only I must be “active”?. Just a guess!

Wrt your final paragraph, I don’t know how lengthy a Norton uninstallation, followed by a delay of a few minutes for Defender to possibly sort itself out (and possibly doing a sfc /scannow or similar to help sort it out?), followed by a Norton re-installation would be, but for comparison a Panda AV uninstallation takes less than 5 minutes and a (re-)installation a similar “about 5 minutes”, so that is what I would try in a similar situation to yours.

Microsoft in their arrogance do not give users the choice of uninstalling Defender, so you cannot try the other way round i.e. uninstalling and re-installing Defender. From memory  it was possible using 3rd party tool(s) in early versions of W10, but Microsoft made it more difficult/impossible in later versions. If Defender is now very deeply embedded in the Windows OS itself, I would not attempt messing with it because there could be unknown side-effects.

HTH. Garbo.

Later edit: My comments above are based on Windows 10 (W10), written on my W10 PC. I’ve just temporarily replaced by usual W10 system SSD with a spare SSD with W11 configured in a similar way to my usual W10 SSD. My comments above still apply. Defender service MsMpEng.exe is not running or using RAM when Panda AV is running, but starts and uses ~150MB when Panda is stopped and Defender is running. (There was even larger MsMpEng.exe RAM usage for a few seconds as it started up, but in W11 it settled down at ~150MB when idle, compared to ~179MB when idle in W10.) HTH.

 

1 user thanked author for this post.

randallj2877

Reply | Quote

Thanks for your reply.

So you tested your Panda AV on Windows 11, and MsMpEng.exe is not even running while Panda is in its “active” state?

(Again, MsMpEng.exe is always running for me, with Norton installed on Win 11.)

This alone makes me think that the problem is Norton and not Defender. I.e., Norton is not effectively suppressing Defender, compared to other AV products.

This also gives me some incentive to perform a reinstall of Norton to see if MsMpEng.exe is still running after the install.

Reply | Quote

randallj2877 wrote:

MsMpEng.exe is always running for me, with Norton installed on Win 11

MsMpEng.exe never runs on my Windows 10 with Kaspersky installed.
Defender is set to periodically scan which launch Kaspersky scans.

Defender does run (and quit) at startup/reboot.

Reply | Quote

Alex5723 wrote:

MsMpEng.exe never runs on my Windows 10 with Kaspersky installed.
Defender is set to periodically scan which launch Kaspersky scans.

Defender does run (and quit) at startup/reboot.

Then you aren’t getting periodic scans, as Defender doesn’t launch Kaspersky scans:

How Does It Work?

When this setting is enabled, the operating system uses the built-in Windows Defender scanning engine to periodically scan for threats. That is to say that the Limited Periodic Scanning setting will use Microsoft’s built-in tool even if you are not using Windows Defender as your main antivirus software.
…
When Does It Run?

The process uses Windows Automatic Maintenance settings to scan your PC at times that it will have minimal impact on your use of your machine.

What Is Microsoft Defender’s Limited Periodic Scanning, and How Do You Turn It On?

Reply | Quote

b wrote:

Then you aren’t getting periodic scans

Yes, it does. After a restart I get a notification that Defender is set to scan…and scanned my PC.

Reply | Quote

That’s not a periodic scan at automatic maintence times.

(Doesn’t it use MsMpEng.exe which you said never runs?)

Reply | Quote

b wrote:

(Doesn’t it use MsMpEng.exe which you said never runs?)

I don’t know as Defender scan runs on boot/restart (I get notification)
After that there is no MsMpEng.exe running

Reply | Quote

This works for turning off defender. I edited the registry manually

https://woshub.com/disable-windows-defender-antivirus/

 

 

 

1 user thanked author for this post.

windbg

Reply | Quote