question

AditiUpadhyay-9386 avatar image
0 Votes"
AditiUpadhyay-9386 asked CandyLuo-MSFT commented

Windows Defender and Symantec AV

Hi Microsoft,

My organisation has Windows Server 2016 OS and uses Symantec Endpoint Protection as the AV. Microsoft docs recommend disabling Windows Defender if a third-party AV is being used.
Sources also indicate that Windows Defender Firewall component remains enabled despite Windows Defender being disabled.
1) If Windows Defender overall is disabled, can the enabled components (firewall) still be impacted by vulnerabilities?
2) Can the firewall component be disabled completely as well?

Thanks,
Aditi

windows-server
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You could accept the useful reply as answer if you want to end this thread up.
If there is anything else we can do for you, please feel free to post in the forum.

0 Votes 0 ·

Please try to mark the replies which help you. It will encourage the person who help you.
Appreciate your understanding. :)

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

If Windows Defender overall is disabled, can the enabled components (firewall) still be impacted by vulnerabilities?

Although Windows firewall in windows 10 is now called the Windows Defender firewall. However, it's not actually an integral part of the Windows Defender. The Windows firewall existed long before Windows defender.

So the Windows firewall is on by default, unless you intentionally disable it or install a security software program that does so, it will be enabled and protecting your computer.

Can the firewall component be disabled completely as well?

If the 3rd-party security software also features its own firewall, it will automatically disable the Windows built-in firewall.

Hope this can help you understand better. If you have anything unclear, please feel free to let me know.

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AditiUpadhyay-9386 avatar image
0 Votes"
AditiUpadhyay-9386 answered

Hi Candy! Thanks for the explanation.

I am still confused on the vulnerability part.

So in the current config on Windows Server 2016, Windows Defender is already disabled (because of third-party AV) but windows defender firewall remains enabled by default.

Confusion stems from the conclusion that it cannot be affected by vulnerabilities in a disabled state, but noting that firewall is still enabled, can it still be affected?

Eg. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647

"Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?
Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state
."

So if firewall is still enabled - will vulnerabilities on Windows Defender continue to be exploitable?

Regards,
Aditi

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

If third-party AV features its own firewall, generally, it will automatically disable the Windows built-in firewall. If windows firewall was not disabled and you want to use third-party firewall, then just turn windows Firewall off.

So if firewall is still enabled - will vulnerabilities on Windows Defender continue to be exploitable?

Microsoft Defender Remote Code Execution Vulnerability is not related with windows firewall. For CVE-2021-1647, make sure the engine version is at 1.1.17700.4 or newer.

104007-image.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image.png (15.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.