Table of contents

Configure Workload Security and Windows Defender

Windows Defender is automatically installed on Microsoft Windows Server 2016 and later and Windows 10 or newer. The Deep Security Anti-Malware (AM) module can support the passive mode of Windows Defender. However, this support requires specific versions of both Windows Defender and Windows server / desktop, and of the Deep Security Agent (DSA):

  • Defender (AM) product / engine version:

    • AMProductVersion: 4.18.2202.4
    • AMEngineVersion: 1.1.18900.3

Currently these are the only versions that we have tested and support. Other versions have not been tested and we cannot guarantee compatibility.

  • Windows server and desktop versions:

    • Windows server 2016 and above.
    • Window 10 x64 RS5 and above.

Neither Windows 10 x86 or Win 10 Enterprise Virtual Desktop is supported.

  • Deep Security Agent:

    • DSA 20.0.0.4149 or later.

When you install Deep Security with the enabling AM feature on a Windows 10 or 11 desktop, Defender is automatically set to the "passive mode". On a Windows Server, you need to re-enable AM policy (disable > enable) again to let Defender to enter "passive mode".

There's a confirmed machine performance impact while turning both Windows Defender and DSA AM on.

If you turn off the DSA AM, either by deactivating or uninstalling it, it removes both "DisableAntiSpyware" and the "ForceDefenderPassiveMode" registry in Microsoft Defender:
  • The "[DisableAntiSpyware](https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)" registry key specifies whether to disable Microsoft Defender Antivirus. By removing it, you have removed the disable key, enabling Microsoft Defender Antivirus. You may have to manually enable Windows Defender Antivirus to ensure it is in the active mode.
  • The "[ForceDefenderPassiveMode](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide)" registry key sets Microsoft Defender Antivirus to the passive mode. By removing the key, Microsoft Defender Antivirus is set to active mode.

Microsoft Defender application files for exclusion list for DSA

You have to add Microsoft Defender for Endpoint to the exclusion list for DSA. For more information, see Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint.

You can find the Defender antivirus executable files here:

%Program Files%\Windows Defender\

%ProgramData%\Microsoft\Windows Defender\Platform\4.18.2201.10-0*\

The above platform version number might be different in your environment. You may check Microsoft Security Intelligence for version information. Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence.

Deep Security agent folders and processes for Microsoft Defender exclusion list

Add Deep Security agent folders and processes to your Microsoft Defender exclusion list.

Folder:

C:\Program Files\Trend Micro\AMSP

C:\Program Files\Trend Micro\Deep Security Agent

Process:

C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe

C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe

C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe

C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe

Tamper protection

The Tamper protection setting of Defender must be set to off. We have found through testing that there are compatibility issues when Tamper protection is turned on.

Defender EDR Block mode for Endpoint

Do not enable Defender's EDR Block mode for Endpoint. Testing has shown that compatibility issues arise when EDR is turned on.