no Cortex XDR integration in "security providers" in "security center" in Windows Server?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

no Cortex XDR integration in "security providers" in "security center" in Windows Server?

L2 Linker

Palo Alto docs say this:

 

The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.

 

The question is, why (doesn't or can't Palo Alto shut down or disable Defender in Windows Server - or integrate itself as a "provider" in "security center")? Is this a Windows Server limitation or "feature"?

 

Also, what is the best way to automate the process of disabling Windows Defender on Windows Server instances where Cortex XDR is actively protecting the system? (Some sort of a PS script crawling AD, checking if Cortex XDR is active and if so, set Defender to "passive" or "disabled"?)

 

Thanks!

 

P.S. This question stems from another discussion here.

P.P.S. Non-server Windows editions are unaffected: managing security providers is an option in "security center", for Windows Defender and Cortex XDR, with Windows Defender disabled ("passive") after Cortex XDR installation.

5 REPLIES 5

L4 Transporter

Hi @kindzma 

Thank you for writing to live community!

 

Regarding your query above " why (doesn't or can't Palo Alto shut down or disable Defender in Windows Server - or integrate itself as a "provider" in "security center")? Is this a Windows Server limitation or "feature"?"  This is because of how MS works in case of servers. Therefore, we recommend setting defender to Passive mode and this would need to be performed by the server admin. 

See the relevant excerpt from the Microsoft Documentation below,

  • On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server.

MS Doc for reference and to disable windows defender: Link

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.


Regards.

Got it (I think): Palo Alto does not disable, uninstall or set Defender to passive mode because... Microsoft doesn't do it. Does that sound right?

 

If Microsoft doesn't do it, could Palo Alto help? Give admins the option to set Defender to passive mode during install or later from a central management point?

 

If Palo Alto can't (or chose not to): what are good options to automate the process of setting Defender to passive mode on all servers across multiple sites in an organization where XDR is active? (It's not all of them.)

 

Finally, what about "security providers"? The fact that I can't even navigate to "security providers" in "Windows Security" app on Windows Server - is that on Microsoft side?

 

P.S. I totally get that Palo Alto can't be held responsible for everything Microsoft does, or doesn't do - yet if XDR is branded as a "cohesive, mature solution" - could Palo Alto at least cohesively explain the shortcomings of the solution especially that it potentially carries severe performance penalties - like in our case?

 

P.S. "Just uninstall it" may be a valid fix for a couple of servers - but not for an organization with a large number of servers across multiple sites. We'd need an automated way to check that there is an active and fully patched and updated XDR agent that is not Defender, and only then set Defender into an appropriate mode, and then run this check routinely.

Hi @kindzma ,

 

One of the stark differences that we have in Windows Server OSs is that Microsoft decided to revoke the API for Windows Server that allowed any security vendor to report the presence of our Antivirus, which would cause Windows to automatically disable Windows Defender. Therefore, we cannot turn off Defender during installation, and it will need to be disabled either manually on the device or via Group Policy Object.

 

On your point of being branded as Cohesive Mature Solution, we are indeed a leader in the AV comparatives chart and also amongst the leading solutions on Gartner because of the value we provide in terms of security as solution. We are not designed as a product for IT Infrastructure management, though we are highly capable of doing many of the operations within the box of security platform.

 

Upon your query of having a fully patched XDR agent version running the latest and greatest XDR agent definitely comes under the highest possible and valuable scope of Cortex XDR and we have various mechanisms and methods to leverage the features of Cortex XDR to help you get the information you need to ensure the proper balance between Confidentiality, Integrity and Availability. 

 

The cortex XDR itself gives you the capability run powershell which could be run on your servers on an extensive level to disable MS Defender, though we do not endorse it if Microsoft decides to treat this behaviourally suspicious and block the attempts. I am sure you are using Cortex XDR in your environment and you would really find it exciting to explore the functions we provide using live terminal and script executions as a use case for handling many of your daily IT operation functions as well(though essentially, disabling MS defender would not be one of them. We are still a security product and not SCCM) 🙂

 

 

Hope this helps!

Therefore, we cannot turn off Defender during installation, and it will need to be disabled either manually on the device or via Group Policy Object.
  • Does PAN notify admins of this issue during installation?
  • After installation?
  • In the dashboard?
  • Provides clear and concise instructions on how to gracefully and safely disable Defender? (As not doing this carries service failure risks. Or, "this is Microsoft's fault"? Or, "it's up to the admin - they should know this kind of stuff"?)

 

(We can argue all day that Microsoft is to blame for this - is that the right approach? What I saw in PAN KB was that XDR does not disable Defender on Win Servers after installation - w/o explanation why, and without anything remotely approaching "hey, let's help you with that or at least point you in the right direction where it wouldn't take you 2 weeks of sifting through docs to understand what to do". Is that the right approach?)

 

The question below remains unanswered. GPOs would disable Defender across a chunk of infra but wouldn't ensure the entire chunk runs XDR - i.e. a security risk.

 


what are good options to automate the process of setting Defender to passive mode on all servers across multiple sites in an organization where XDR is active? (It's not all of them.)

 

Only PAN knows what nodes have a fully functioning XDR - AD doesn't. So GPO is not a safe way to deal with the issue. Could PAN at least flag nodes that have both XDR and Defender running? If it can't - explain why and provide tools to do so? If it chooses not to - explain why so that existing and potential customer can make their own educated choice whether to buy or keep paying for XDR?

Hi @kindzma ,

 

To close all the loop to this discussion or argument here as this is a public forum.

neelrohit_0-1688760784338.png

The documentation is an area of continuous improvement and we bring out different updates from time to time. There can be a possibility of fulfilment of an unrealistic expectation, but to add intrinsics of an OS in an administrator guide if it is not related to the product.

 

The same question cited could be rephrased to the other vendor as to why any third party security vendor is not able to disable your AV solution from the other OEM wants to?

Or could be a google chrome browser application crashing, so Microsoft cannot be reached for that stating that it was installed on Windows OS and hence Microsoft should suggest steps on how to fix this.

 

Please understand that Palo Alto Networks is a platform provider solution for Cortex XDR. We provide elements which should be part of our installation steps and areas of metrics which should be working in a compatible format and which don't(which is provided in the link below). Security vendors do not endorse the intrinsics of the product other than their own. If the customer stakeholder of admin has installed the previous product, it is assumed and expected that the person working on XDR would actually go through the base level enablement or would have attended the PoC to understand the functioning and intrinsics of the Cortex XDR agent. Nonetheless, the knowledge of intrinsics of the solution he/she is working on to replace. 

 

If the question is to what nodes are running which should be monitored in XDR, there are 100s of discussion on the same page on this forum and we have our services and support which can also provide the same info. 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Cortex-XDR-and...

 

Agreeing well to your question on security whether all the endpoints would have XDR enabled and ensure that Defender is not disabled on all the endpoints without XDR agent on them, is an easily trackable feature set. We are talking of servers where the inventory would be well established and correlated if all the servers are deployed with XDR agent before deploying GPO or SCCM or any mechanism to disable or move defender to passive mode. Also organisations follow a phased rollout so GPO can be targetted accordingly. Cortex XDR can also perform asset discovery(if configured well and with all capabilities) to provide a list of managed vs unmanaged assets which can tell which endpoints do not have XDR agent installed? (Can MS Defender do this?)

 

Lastly to respond to your questions, which can argumentatively be two ended and reversely asked : 

  • Does PAN notify admins of this issue during installation?: The admin guide says it. If it happens, you would still not be able to see the Cortex XDR solution registered to Windows Security Center. Leaving compatibility performances aside as it can be subjective. 
    Reversed Question: Does Microsoft notify the same on server OS?
  • After installation?: No, we don't and we don't need to. Customers can choose to keep the configurations disabled in Cortex XDR and that cannot be questioned as it is their choice unless to disable it or move the defender to passive mode.
    Reversed Question: Does microsoft notify or give a popup after installation of third party product if it is running and not registered to security center?
  • In the dashboard?: You can create one. Despite the fact, we are not a solution to endorse and graph running status for other applications. We however have the capability to list the set of installed apps on the endpoints and that can show the presence of Defender if it is installed on the endpoint or not. Which also can be customised in the dashboard. We also have scripts execution capability to fetch the reports and data to see if MS defender exists, what is its running status(Get-MpComputerStatus).
    Reversed Question: Can MS defender show Cortex XDR agent running status on dashboard or report? Anything at all?
  • Provides clear and concise instructions on how to gracefully and safely disable Defender? (As not doing this carries service failure risks. Or, "this is Microsoft's fault"? Or, "it's up to the admin - they should know this kind of stuff"?): Microsoft's question. We still are answering you here with GPO and powershell. If asked nicely and internally, possibly even give commands to try and test(extending the scope of Palo Alto Networks' expertise boundary).
     Reversed Question: Does Microsoft provide a detailed KB on how to uninstall or disable Cortex XDR agent or any third party solution? 

Lastly, Cortex XDR if not running properly will actually be visible and is also trackable. In form or reports, dashboards, running processes, connections and a lot. Finally, definitely there are customers who are educated enough to assess and evaluate why to choose Cortex XDR. All of our customers across the globe are a witness to it. 

 

Hope this helps

  • 2272 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!