Need to hide or remove Microsoft Security Essentials system tray icon or turn the red icon green

I know how to customize the system tray so I don't need any of those answers.

I have to disable Real Time Scanning in MSE which causes the icon to go red and tell everybody that it is not secure.

I need to hide that red icon or even figure out how to turn it green.  We are running Bit9 Security Software and it requires first dibs on all files therefore MSE Real Time must be turned off.  However, we would like a daily virus scan.

It's all about politics with upper management...they don't like seeing the red icon.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ryan ChongBusiness Systems Analyst , ex-Senior Application EngineerCommented:
have a read for the instructions stated in this article:

Turn Windows Defender real-time protection on or off

Get free virus protection with Microsoft Security Essentials

if you have the administrator rights, you should able to make the changes.
rand1964Author Commented:
This is precisely what I said I didn't need...this in no way answers my questions nor is it the solution.

I know how to turn off Real Time Protection.  To clarify, I am looking for how to get rid of that annoying Red icon that keeps telling me my system is unsecure because I don't have Real Time protection turned on.
Ryan ChongBusiness Systems Analyst , ex-Senior Application EngineerCommented:
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Hi rand1964.  I saw your question yesterday and immediately understood what you were asking, but wasn't able to post a comment at the time.  It puzzles me why your question seems to have been so hard to understand.

I tend to agree with your management's dislike for the red icon.  Red is a warning and peoples' attention will be drawn to it repeatedly until they condition themselves to ignore it.  Having been conditioned into ignoring this red warning, they may also be conditioned into ignoring other important warnings.

I don't think there is any realistic way of making the green Microsoft Security Essentials (MSE) icon in the System Tray / Notification Area remain green when Real-Time Protection is disabled and the application's status is being notified as "Potentially Unprotected".  There MIGHT be a registry value that can be added, or an existing one modified, but to this end I would be googling just the same as you would be.

I have been thinking about the issue which a lot of people complained about when Windows XP came to the end of its support life and Microsoft extended the life of MSE on that platform.  Microsoft's last version of MSE that was made available for Windows XP from Windows Update ( - KB2949787) changed the System Tray icon and program window to continuously show as a light brown or amber colour, but (as far as I recall) malware detections still changed the icon and program window to red to warn the user.  This last version coincided with Hotfix KB2934207 which ran "C:\Windows\System32\xp_eos.exe" (XP End Of Support) from startup.  This showed the XP EOS message within the MSE program window and an annoying popup from the system tray.

I have been looking at the executables, support files, registry settings, etc to see how these tied together with a view to replicating the continually amber state, but in green instead.  Unfortunately on the XP computer I am using to examine the files I had bumped the MSE version back to the previous one that didn't change the System Tray icon colour, or else I did some other hack such as changing the new "EndOfLifeState" value in the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware]
from  dword:00000001  to  dword:00000000
I cannot figure out how Microsoft deliberately changed the colour of the icons and program window, but it is probably a safe bet to assume that it was hard-coded into an EXE or DLL for that version only.

I only have a Windows 7 computer at my disposal, but it doesn't have MSE installed.  The only computer I have that still has MSE on it, and with which I can tinker, is a Windows XP one.  My findings are based on the installed files for a version of MSE that may now have been changed quite radically for Windows 7, 8, 8.1, and 10.

I found some interesting lines within the <FEATURES> tag in the XML content of the file.
C:\Program Files\Microsoft Security Client\EppManifest.dll
I have only shown the lines that seem to be most relevant to the issue:

<!--Setting host pannel-->
<Feature name="EnableSettingRTP"    value="1" />
<Feature name="EnableSettingAdmin"     value="0" />

<!--RTP settings pannel-->
<Feature name="ShowRTPOptions"    value="0" />

<!--Status pannel-->
<Feature name="ShowRtpStatus"    value="1" />
<Feature name="ShowRedOnRtpOff"    value="1" />

<!--Systray icon and toasts-->
<Feature name="ShowSysTrayIcon"    value="1" />
<Feature name="ShowNotificationToast"    value="1" />

It is notable that this DLL contains the green, amber, and red icons that would display in the System Tray.

Ignoring the misspelled "pannel", clearly these lines in the XML content relate to whether certain features are available, and dictate certain behaviour.  A value of "0" presumably means "no", and "1" means "yes", as is normal with most configuration files including the registry.  This version is the free one for home use, so it is no surprise that "EnableSettingAdmin" and "ShowRTPOptions" (RTP being Real Time Protection) would be disabled.

The most interesting setting in the above selection of lines is:
<Feature name="ShowRedOnRtpOff"    value="1" />
it is reasonable to assume that "Show Red On Real-Time Protection Being Off" being set to "No" with a "0" would allow the System Tray icon to remain green and disregard this "unprotected" status, but this XML content is hard-coded into a DLL file.

The "ShowNotificationToast" value seems to refer to the colour schemes that appear further down in the XML data in Eppmanifest.dll.  I am not sure whether "Toast" is some computer programmer geek speak for a particular event and announcement, or whether it refers to the light brown / amber colour used to inform the user that definition files are out of date, etc.  I can see lines in the colour schemes like this:
<BrandedColor name="CUSTOM_COLOR_TOAST_BANNER_RED_MIDDLE_TOP"       r="156" g="40"  b="39"/>
which contrasts with other lines like:
<BrandedColor name="CUSTOM_COLOR_THREAT_ITEM_BACKGROUND_RED"        r="250" g="231" b="224"/>
Every component of the application's user interface is defined, and clearly there is a difference between the normal state, the "threat" state, and whatever state "Toast" refers to.

I have been able to view the internal contents of "EppManifest.dll" using a resource hacking utility that would allow me to modify any of these values (or even substitute the red icons for green ones), but I would first have to stop the "Microsoft Antimalware Service" (C:\Program Files\Microsoft Security Client\MsMpEng.exe) and restart it again after I modified the file and resaved it.  Microsoft Security Essentials may have its own anti-tamper functionality that reinstates backups where it detects tat files have been modified.  Additionally, any future updates of the application would probably overwrite the modified DLL with a new and more recent one, so you would have to keep modifying this DLL.

What I am wondering is whether any of these settings in the DLL file's internal content can be used as new Registry values that override those in the DLL.  For example, something like:
placed in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Real-Time Protection

I will have to experiment to some extent and see what I can discover, but in the end I have a feeling that all of these settings will be hard-coded into the program's files.
rand1964Author Commented:
Antivirus is pretty much obsolete on a system like ours...the only thing it is used for is for the stupid stuff.  Application whitelisting is where it is all going to...we are using that.  MSE is free...if I can't find a way to make the annoying red icon go away, I will find something else or just lock down the Bit9 so freaking hard nothing will ever execute on it.
Just thought somebody here on EE would know the answer.  

I guess not.
rand1964Author Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for rand1964's comment #a40953526

for the following reason:

Nobody has the answer, I'll close this and move along.
Clearly Microsoft did not give users a way to turn this "feature" off.  It is by design that an anti-malware application should notify a user that it isn't functioning fully, as intended.  That does not mean that "nobody has the answer".  Sometimes the answer IS "no, it can't be done", or at least not without digging deep where ordinary users shouldn't really be digging.  That is precisely how "undocumented" tweaks are discovered and published.

Did you try Googling for an answer?  You probably did, but found nothing.

I dug deep and found out exactly where the particular behaviour is dictated:

Internal XML resource. (Line 58 of 225 in file version 4.4.0304.0.  May differ for more recent DLL versions):
<Feature name="ShowRedOnRtpOff"    value="1" />

I have since found that "ShowRedOnRtpOff" is in one of the import or export tables of "msseces.exe" (the User Interface executable), so I assume that the EXE queries the DLL for this value when launched.

I also killed off MSE, modified the values inside the DLL file, and restarted MSE, but it obviously detected that one of its components had been modified and failed to launch with an error message.

I was going to dig a little deeper to see if that value could be translated into a registry value rather than modifying a DLL but, given the flippancy of your closure request some 16 hours after I posted, I don't think I will waste any more of my time.  Some of us have to sleep in between posting comments in our own time and for free.  It seems clear to me that you couldn't be bothered reading my comment.

So, I object to your proposal.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rand1964Author Commented:
Your answer is not a solution.   Take the points.
rand1964Author Commented:
Clearly Microsoft did not give users a way to turn this "feature" off
Thank you thermoduric.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.