Microsoft Defender AV must be configured to run and scan for malware and other potentially unwanted software. (Cat I impact)
This policy setting turns off Microsoft Defender Antivirus. If this policy setting is enabled, Microsoft Defender Antivirus does not run and computers are not scanned for malware or other potentially unwanted software. When the setting is disabled and a third-party antivirus solution is installed, the two applications can both simultaneously try to protect the system. The two AV solutions both attempt to quarantine the same threat and will fight for access to delete the file. Users will see conflicts and the system may lock up until the two solutions finish processing. When the setting is not configured and a third-party antivirus solution is installed, both applications coexist on the system without conflicts. Defender Antivirus will automatically disable itself and will enable if the third-party solution stops functioning. When the setting is not configured and Defender Antivirus is the only AV solution, Defender AV will run (default state) and receive definition updates. An administrator account is needed to turn off the service. A standard user cannot disable the service.
Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> "Turn off Windows Defender Antivirus" is set to “Not Configured”. For Windows 10: Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender Criteria: If the value "DisableAntiSpyware" does not exist, this is not a finding.
For Windows 10: Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus "Turn off Microsoft Defender Antivirus" to "Not Configured".
Rule ID: SV-213428r823028_rule
Vulnerability ID: V-213428
Group Title: SRG-APP-000278
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
Malicious Code Protection