[Off Topic] Question on Antimalware Policy in SCCM

Hello everyone!

I’m not sure if this is an SCCM question or not, but since I changed SCCM, I decided I’d ask -

SEP 14.3 is now installed on our workstations, and Microsoft Defender is set to passive mode because SEP is the primary antivirus.

In Assets and Compliance > Endpoint Protection > Antimalware Policy > Default Client Antimalware, I changed the Antimalware Policy.

I scheduled a complete scan for every Saturday at 2 a.m., as well as a daily fast scan at 5 p.m.
If SEP is installed on the PCs, would these scans continue run, or will they not because Defender is in passive mode? Thanks! No other information is available on this other than the Defender Security Center, and I’d want to tell my management team that we are utilising Defender as a backup for SEP, especially in light of all the new malware threats that have emerged in these last few weeks.

We are still on ePO5.10 right now but we will be upgrading to SCCM as soon as we finish building out the new data center.

Currently with ePO 5.10/HBSS, Defender gets disabled because VSE takes control. When VSE/HIPS are disabled or uninstalled, Defender is then turned on as well as the MS Windows Firewall.

You should be able to get a correct answer by logging onto the DISA site, but I would say that SEP would still be monitoring. The difference between a scan and it monitoring is that the scan is looking for signatures in everything. When it is monitoring, it is looking for things in flight as they happen. It could be that it is using Defender as an eventing system to then intercept and intervene if something is found.

The question then is, “Are these machines on a internet accessible network?” You don’t say if this is a DoD network or a civilian network, but if it is public internet accesible/facing, you should have other things in place besides SEP.

I don’t think you are talking about what I think you are. The gov’t and their acronyms. Disregard the above, unless it is actually relevant to what you are using. My guess is that you are talking about Microsoft SCCM.

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.