- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-05-2023 03:21 PM - edited 07-05-2023 03:57 PM
Palo Alto docs say this:
The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.
The question is, why (doesn't or can't Palo Alto shut down or disable Defender in Windows Server - or integrate itself as a "provider" in "security center")? Is this a Windows Server limitation or "feature"?
Also, what is the best way to automate the process of disabling Windows Defender on Windows Server instances where Cortex XDR is actively protecting the system? (Some sort of a PS script crawling AD, checking if Cortex XDR is active and if so, set Defender to "passive" or "disabled"?)
Thanks!
P.S. This question stems from another discussion here.
P.P.S. Non-server Windows editions are unaffected: managing security providers is an option in "security center", for Windows Defender and Cortex XDR, with Windows Defender disabled ("passive") after Cortex XDR installation.
07-05-2023 08:28 PM - edited 07-05-2023 08:29 PM
Hi @kindzma
Thank you for writing to live community!
Regarding your query above " why (doesn't or can't Palo Alto shut down or disable Defender in Windows Server - or integrate itself as a "provider" in "security center")? Is this a Windows Server limitation or "feature"?" This is because of how MS works in case of servers. Therefore, we recommend setting defender to Passive mode and this would need to be performed by the server admin.
See the relevant excerpt from the Microsoft Documentation below,
MS Doc for reference and to disable windows defender: Link
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
Regards.
07-06-2023 08:56 AM
Got it (I think): Palo Alto does not disable, uninstall or set Defender to passive mode because... Microsoft doesn't do it. Does that sound right?
If Microsoft doesn't do it, could Palo Alto help? Give admins the option to set Defender to passive mode during install or later from a central management point?
If Palo Alto can't (or chose not to): what are good options to automate the process of setting Defender to passive mode on all servers across multiple sites in an organization where XDR is active? (It's not all of them.)
Finally, what about "security providers"? The fact that I can't even navigate to "security providers" in "Windows Security" app on Windows Server - is that on Microsoft side?
P.S. I totally get that Palo Alto can't be held responsible for everything Microsoft does, or doesn't do - yet if XDR is branded as a "cohesive, mature solution" - could Palo Alto at least cohesively explain the shortcomings of the solution especially that it potentially carries severe performance penalties - like in our case?
P.S. "Just uninstall it" may be a valid fix for a couple of servers - but not for an organization with a large number of servers across multiple sites. We'd need an automated way to check that there is an active and fully patched and updated XDR agent that is not Defender, and only then set Defender into an appropriate mode, and then run this check routinely.
07-07-2023 03:09 AM
Hi @kindzma ,
One of the stark differences that we have in Windows Server OSs is that Microsoft decided to revoke the API for Windows Server that allowed any security vendor to report the presence of our Antivirus, which would cause Windows to automatically disable Windows Defender. Therefore, we cannot turn off Defender during installation, and it will need to be disabled either manually on the device or via Group Policy Object.
On your point of being branded as Cohesive Mature Solution, we are indeed a leader in the AV comparatives chart and also amongst the leading solutions on Gartner because of the value we provide in terms of security as solution. We are not designed as a product for IT Infrastructure management, though we are highly capable of doing many of the operations within the box of security platform.
Upon your query of having a fully patched XDR agent version running the latest and greatest XDR agent definitely comes under the highest possible and valuable scope of Cortex XDR and we have various mechanisms and methods to leverage the features of Cortex XDR to help you get the information you need to ensure the proper balance between Confidentiality, Integrity and Availability.
The cortex XDR itself gives you the capability run powershell which could be run on your servers on an extensive level to disable MS Defender, though we do not endorse it if Microsoft decides to treat this behaviourally suspicious and block the attempts. I am sure you are using Cortex XDR in your environment and you would really find it exciting to explore the functions we provide using live terminal and script executions as a use case for handling many of your daily IT operation functions as well(though essentially, disabling MS defender would not be one of them. We are still a security product and not SCCM) 🙂
Hope this helps!
07-07-2023 08:14 AM - edited 07-07-2023 08:16 AM
Therefore, we cannot turn off Defender during installation, and it will need to be disabled either manually on the device or via Group Policy Object.
(We can argue all day that Microsoft is to blame for this - is that the right approach? What I saw in PAN KB was that XDR does not disable Defender on Win Servers after installation - w/o explanation why, and without anything remotely approaching "hey, let's help you with that or at least point you in the right direction where it wouldn't take you 2 weeks of sifting through docs to understand what to do". Is that the right approach?)
The question below remains unanswered. GPOs would disable Defender across a chunk of infra but wouldn't ensure the entire chunk runs XDR - i.e. a security risk.
what are good options to automate the process of setting Defender to passive mode on all servers across multiple sites in an organization where XDR is active? (It's not all of them.)
Only PAN knows what nodes have a fully functioning XDR - AD doesn't. So GPO is not a safe way to deal with the issue. Could PAN at least flag nodes that have both XDR and Defender running? If it can't - explain why and provide tools to do so? If it chooses not to - explain why so that existing and potential customer can make their own educated choice whether to buy or keep paying for XDR?
07-07-2023 01:56 PM - edited 07-07-2023 02:12 PM
Hi @kindzma ,
To close all the loop to this discussion or argument here as this is a public forum.
The documentation is an area of continuous improvement and we bring out different updates from time to time. There can be a possibility of fulfilment of an unrealistic expectation, but to add intrinsics of an OS in an administrator guide if it is not related to the product.
The same question cited could be rephrased to the other vendor as to why any third party security vendor is not able to disable your AV solution from the other OEM wants to?
Or could be a google chrome browser application crashing, so Microsoft cannot be reached for that stating that it was installed on Windows OS and hence Microsoft should suggest steps on how to fix this.
Please understand that Palo Alto Networks is a platform provider solution for Cortex XDR. We provide elements which should be part of our installation steps and areas of metrics which should be working in a compatible format and which don't(which is provided in the link below). Security vendors do not endorse the intrinsics of the product other than their own. If the customer stakeholder of admin has installed the previous product, it is assumed and expected that the person working on XDR would actually go through the base level enablement or would have attended the PoC to understand the functioning and intrinsics of the Cortex XDR agent. Nonetheless, the knowledge of intrinsics of the solution he/she is working on to replace.
If the question is to what nodes are running which should be monitored in XDR, there are 100s of discussion on the same page on this forum and we have our services and support which can also provide the same info.
Agreeing well to your question on security whether all the endpoints would have XDR enabled and ensure that Defender is not disabled on all the endpoints without XDR agent on them, is an easily trackable feature set. We are talking of servers where the inventory would be well established and correlated if all the servers are deployed with XDR agent before deploying GPO or SCCM or any mechanism to disable or move defender to passive mode. Also organisations follow a phased rollout so GPO can be targetted accordingly. Cortex XDR can also perform asset discovery(if configured well and with all capabilities) to provide a list of managed vs unmanaged assets which can tell which endpoints do not have XDR agent installed? (Can MS Defender do this?)
Lastly to respond to your questions, which can argumentatively be two ended and reversely asked :
Lastly, Cortex XDR if not running properly will actually be visible and is also trackable. In form or reports, dashboards, running processes, connections and a lot. Finally, definitely there are customers who are educated enough to assess and evaluate why to choose Cortex XDR. All of our customers across the globe are a witness to it.
Hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!