從協力廠商解決方案移轉時疑難排解 Microsoft Defender 防毒軟體Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution

適用於:Applies to:

如果您在從協力廠商安全性解決方案 Microsoft Defender 防毒軟體進行遷移時遇到問題,您可以在這裡找到 [說明]。You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.

審閱事件記錄檔Review event logs

在工作列中選取 搜尋 圖示,然後搜尋 [ 事件檢視器],以開啟 [事件檢視器] 應用程式。Open the Event viewer app by selecting the Search icon in the taskbar, and searching for event viewer.

您可以在 [應用程式及服務記錄] [ > Microsoft > Windows > Windows Defender] 底下找到 Microsoft Defender 防毒軟體的相關資訊。Information about Microsoft Defender Antivirus can be found under Applications and Services Logs > Microsoft > Windows > Windows Defender.

從那裡,選取 [在 運作開啟]。From there, select Open underneath Operational.

從 [詳細資料] 窗格選取事件,將會在 [一般] 和 [ 詳細資料 ] 索引標籤底下的下部窗格中顯示事件的詳細資訊。Selecting an event from the details pane will show you more information about an event in the lower pane, under the General and Details tabs.

Microsoft Defender 防毒軟體不會啟動Microsoft Defender Antivirus won't start

此問題的資訊清單可能是數個不同的事件 IDs,所有這些事件都具有相同的基本原因。This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.

關聯的事件 IDsAssociated event IDs

事件識別碼Event ID 記錄檔名稱Log name 描述Description 來源Source
815 應用程式Application SECURITY_PRODUCT_STATE_OFF 成功更新 Windows Defender 狀態。Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. 安全中心Security Center
50075007 Microsoft Windows Windows Defender/OperationalMicrosoft-Windows-Windows Defender/Operational Windows Defender 防毒軟體設定已經變更。Windows Defender Antivirus Configuration has changed. 如果這是未預期的事件,您應該檢查設定,因為這可能是惡意程式碼的結果。If this is an unexpected event you should review the settings as this may be the result of malware.

舊值: Default\IsServiceRunning = 0x0Old value: Default\IsServiceRunning = 0x0
新值: HKLM\SOFTWARE\Microsoft\ Windows Defender \IsServiceRunning = 0x1New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
Windows DefenderWindows Defender
50105010 Microsoft Windows Windows Defender/OperationalMicrosoft-Windows-Windows Defender/Operational 已停用對間諜軟體和其他可能有害軟體的 Windows Defender 防毒軟體掃描。Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. Windows DefenderWindows Defender

如何判斷 Microsoft Defender 防毒軟體是否因安裝協力廠商防毒程式而無法啟動How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed

在 Windows 10 裝置上,如果您不是使用 Microsoft Defender for Endpoint,而您已安裝協力廠商的防毒軟體,則 Microsoft Defender 防毒軟體會自動關閉。On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. 如果您使用的是 Microsoft Defender for Endpoint,且已安裝協力廠商防毒軟體,則 Microsoft Defender 防毒軟體會以被動式模式開始,但功能會變少。If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.

提示

剛才所述的案例只適用于 Windows 10。The scenario just described applies only to Windows 10. 其他版本的 Windows 對 Microsoft Defender 防毒軟體所執行的回應和協力廠商的安全性軟體的回應有所不同Other versions of Windows have different responses to Microsoft Defender Antivirus being run alongside third-party security software.

使用服務應用程式檢查 Microsoft Defender 防毒軟體是否關閉Use Services app to check if Microsoft Defender Antivirus is turned off

若要開啟服務應用程式,請從工作列選取 搜尋 圖示,然後搜尋 服務To open the Services app, select the Search icon from the taskbar and search for services. 您也可以輸入 services.msc,從命令列開啟應用程式。You can also open the app from the command-line by typing services.msc.

Microsoft Defender 防毒軟體的相關資訊會列在服務應用程式中 Windows Defender > 運作 中。Information about Microsoft Defender Antivirus will be listed within the Services app under Windows Defender > Operational. 防病毒服務名稱是 Windows Defender 防毒軟體服務The antivirus service name is Windows Defender Antivirus Service.

檢查應用程式時,您可能會看到 Windows Defender 防毒軟體服務 設定為手動,但是當您嘗試手動啟動此服務時,會收到一則警告,指出 本機電腦上的 Windows Defender 防毒軟體 service 服務已啟動,且已停止。有些服務不會因為其他服務或程式而自動停止使用。While checking the app, you may see that Windows Defender Antivirus Service is set to manual — but when you try to start this service manually, you get a warning stating, The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.

這表示 Microsoft Defender 防毒軟體已自動關閉,以保留與協力廠商防病毒的相容性。This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.

產生詳細報告Generate a detailed report

您可以在 [以系統 管理員模式執行 ] 中開啟命令提示字元,然後輸入下列命令,以產生目前作用中群組原則的詳細報告:You can generate a detailed report about currently active group policies by opening a command prompt in Run as admin mode, then entering the following command:

GPresult.exe /h gpresult.html

這會產生位於 at /gpresult.html 的報告。This will generate a report located at ./gpresult.html. 開啟此檔案,視 Microsoft Defender 防毒軟體關閉的方式而定,您可能會看到下列結果。Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.

群組原則結果Group policy results
若安全設定是透過「群組原則」來實施,請 (網域或本地層級的 GPO) ,或是 System center configuration manager (SCCM) If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)

在 GPResults 報告中,在標題底下 Windows 元件/Windows Defender 防毒軟體,您可能會看到類似下列的專案,表示 Microsoft Defender 防毒軟體已關閉。Within the GPResults report, under the heading, Windows Components/Windows Defender Antivirus, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.

原則Policy 設定Setting 入選 GPOWinning GPO
關閉 Windows Defender 防毒軟體Turn off Windows Defender Antivirus 啟用Enabled Win10-WorkstationsWin10-Workstations
如果透過群組原則首選項來執行安全性設定 (GPP) If security settings are implemented via Group policy preference (GPP)

在標題、登錄 專案 (機碼路徑: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender、值名稱: DisableAntiSpyware) 中,您可能會看到類似下列的專案,表示 Microsoft Defender 防毒軟體已關閉。Under the heading, Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware), you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.

DisableAntiSpywareDisableAntiSpyware -
入選 GPOWinning GPO Win10-WorkstationsWin10-Workstations
結果:成功Result: Success
一般General
動作Action UpdateUpdate
屬性Properties
蜂巢Hive HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE
機碼路徑Key path SOFTWARE\Policies\Microsoft\ Windows DefenderSOFTWARE\Policies\Microsoft\Windows Defender
數值名稱Value name DisableAntiSpywareDisableAntiSpyware
值類型Value type REG_DWORDREG_DWORD
數值資料Value data 0x1 (1) 0x1 (1)
如果透過登錄機碼來執行安全性設定If security settings are implemented via registry key

報告中可能會包含下列文字,表示 Microsoft Defender 防毒軟體已關閉:The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:

Registry (regedit.exe) Registry (regedit.exe)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware (dword) 1 (十六進位) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware (dword) 1 (hex)

在 Windows 或您的 Windows 伺服器映射中設定安全性設定If security settings are set in Windows or your Windows Server image

您的 imagining 系統管理員可能已透過 GPEdit.exeLGPO.exe 或在其任務順序中修改登錄,將安全性原則 DisableAntiSpyware、從本機設定。Your imagining admin might have set the security policy, DisableAntiSpyware, locally via GPEdit.exe, LGPO.exe, or by modifying the registry in their task sequence. 您可以為 Microsoft Defender 防毒軟體設定信任的影像識別碼You can configure a Trusted Image Identifier for Microsoft Defender Antivirus.

重新開啟 Microsoft Defender 防毒軟體Turn Microsoft Defender Antivirus back on

如果目前沒有任何使用中的反病毒,Microsoft Defender 防毒軟體會自動開啟。Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. 您必須完全關閉協力廠商防病毒,以確保 Microsoft Defender 防毒軟體可以使用完整功能執行。You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.

警告

我們建議您在 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services 中編輯 wdbootwdfilterwdnisdrvwdnissvcwindefendWindows Defender start 值都不受支援,並且可能會強制您重新影像您的系統。Solutions suggesting that you edit the Windows Defender start values for wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.

如果您開始使用 Microsoft Defender for Endpoint 和協力廠商的防毒軟體搭配 Microsoft Defender 防毒軟體,便可使用被動模式。Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. 被動式模式可讓 Microsoft Defender 掃描檔案並自行更新,但不會修正威脅。Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. 此外,透過 即時保護 進行的行為監視無法在被動模式下使用,除非部署了 端點資料遺失防護 (DLP) In addition, behavior monitoring via Real Time Protection is not available under passive mode, unless Endpoint data loss prevention (DLP) is deployed.

當 Microsoft Defender 防毒軟體設定為自動關閉時,使用者就可以使用另一個功能(也稱為有限的定期掃描)。Another feature, known as limited periodic scanning, is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. 這項功能可讓 Microsoft Defender 防毒軟體使用有限的偵測數目,在協力廠商防病毒的情況下定期掃描檔案。This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.

重要

在企業環境中不建議使用有限的定期掃描。Limited periodic scanning is not recommended in enterprise environments. 在此模式下執行 Microsoft Defender 防毒軟體時可用的偵測、管理與報告功能,會隨著與使用中的模式而降低。The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.

另請參閱See also