Windows Server 2016 Standard and Windows Defender
I am having problems with a new Windows Server 2016 VM. This server is a print/internal web server. I have webroot installed on this computer and I also noticed Windows Defender is also active as well. I have noticed several things that are odd. For instance, I have an hosted app on this machine that will launch but immediately closes after entering the username and password. However, on the same machine I installed Firefox and it works fine. The software provider for this app indicates a 405 error is occurring with IE. I have the app defined as a trusted site too. So for now I am using Firefox to logon to the app for now.
We also use Quorum OnQ to backup our hosts. Since this server has 1.5 million files it took a little while for the initial backup which is normal. However, performing following backups takes 5 to 6 hours because it has to scan each file to see if changes were made to back them up or not. So, I enabled QFiltering for this server since this feature will build a database of all the files so that it does not need to scan all files. Once I enabled QFilter, Windows will not allow the QFilter service to start (Event ID 7000, Service Control Manager with error: Windows cannot verify the digital signature of this file... Also, the Qfilter service uses SquirtCopy.
So in order to get a backup of this critical server, I disabled Qfilter and the backup ran last night. It took about 6 hours to complete. Early this morning around 5:40am I remotely checked to see if the backup completed. It completed, but the server was responding sluggish. While I was in the event viewer and using Windows Explorer to view a couple of other files, the server crashed. It not responsive and displayed a black screen. The event viewer did not have any errors for this bad shutdown. I had to shutdown the VM and brought it back up again. Its been running since then. I disabled backups for now.
I am thinking Windows Defender is blocking apps, etc. I want to disable it, but cannot seem to do it. I tried to remove the role via the wizard, and the check boxes for Windows defender are all grayed out. First, I just wanted to disable it, but it won't disable and automatically enables itself after disabling. So now I am trying to remove it altogether but can't since I cannot uncheck it ti remove it.
This server is now in production, so I need to be real careful, etc. Any ideas.
We also use Quorum OnQ to backup our hosts. Since this server has 1.5 million files it took a little while for the initial backup which is normal. However, performing following backups takes 5 to 6 hours because it has to scan each file to see if changes were made to back them up or not. So, I enabled QFiltering for this server since this feature will build a database of all the files so that it does not need to scan all files. Once I enabled QFilter, Windows will not allow the QFilter service to start (Event ID 7000, Service Control Manager with error: Windows cannot verify the digital signature of this file... Also, the Qfilter service uses SquirtCopy.
So in order to get a backup of this critical server, I disabled Qfilter and the backup ran last night. It took about 6 hours to complete. Early this morning around 5:40am I remotely checked to see if the backup completed. It completed, but the server was responding sluggish. While I was in the event viewer and using Windows Explorer to view a couple of other files, the server crashed. It not responsive and displayed a black screen. The event viewer did not have any errors for this bad shutdown. I had to shutdown the VM and brought it back up again. Its been running since then. I disabled backups for now.
I am thinking Windows Defender is blocking apps, etc. I want to disable it, but cannot seem to do it. I tried to remove the role via the wizard, and the check boxes for Windows defender are all grayed out. First, I just wanted to disable it, but it won't disable and automatically enables itself after disabling. So now I am trying to remove it altogether but can't since I cannot uncheck it ti remove it.
This server is now in production, so I need to be real careful, etc. Any ideas.
McKnife
You can use GPOs to disable it: computer config - administrative templates - windows components - windows defender.
ASKER
Can I do this from the server itself using Local Security Policy? The reason why I ask is because I do not see computer config, etc within Local Security Policy.
You do have computer configuration as one of the 2 top branches in local gpedit.msc - please look again.
ASKER
I totally forgot about gpedit.msc. So I see the branches now, and I notice within Computer Config\Windows Components\Windows Defender, I can see a setting "Turn Off Windows Defender". Is this the only setting I need to enable to disable Windows Defender, or are there other settings that need to be changed as well? Also, once disabled within Group Policy, I presume a server reboot will be necessary for the change to take affect won't it. It probably does, just thought I'd ask to confirm so. Thanks.
That's the only setting. A simple gpupdate afterwards will make it active, no reboot needed.
ASKER
I see a bunch of settings within Real-time Protection like "Turn off real-time protection", "Turn off behavior monitoring", etc. I just want to know if the setting "Turn off Windows Defender" will also disable everything else or not.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay I did this. I noticed the WinDefend service is stopped without the need of a server reboot.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I saw an article about enable/disable defending via powershell. I felt that simply just took care of the interface itself and not completely disable it. I went over the gpedit settings mentioned above, and I noticed it was recommended to disable "Allow antimalware service to remain running always". It appears by default its set to "Not Configured". The explanation for this policy states if its "Not Configured" or "Disabled" the antimalware service will be stopped when both antivirus and antispyware definitions are disabled... I went ahead and disabled it anyway. Just thought I'd mention it.
ASKER
I discovered the problem was not with Windows Defender or Webroot antivirus software and it was having "Secure Boot" enabled on the VM itself. After disabling this option everything starting working as far as Quorum's QFilter process. So now I wanted to re-enable Windows defender by resetting the above-mentioned group policy settings back to the way they were (not configured). I even rebooted the server, and the "Windows Defender Service" is still not running. The start type for this service is set to manual, and I cannot change it or start the service since "Startup Type" is grayed out, and if I try and start the service I get:
Windows could not start the Windows Defender Service on Local Computer. Error 577: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged,...
Windows could not start the Windows Defender Service on Local Computer. Error 577: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged,...
ASKER
Please disregard my previous post about not being able to set Windows Defender back to a running state. After writing the above post I checked the status of Windows Defender and it was running. It must have taken a bit for it start on its own, so it is runinng now.
ASKER
Thank you for your assistance. Everything appears to be working fine now.
Welcome.
ASKER
I may have spoke too soon. As you can see below, Windows Defender is still not running. As mentioned above, when I try and start the service, I get a 577 error. A server reboot made no difference. Not sure why its not working. I simply reset the modified GPO settings back to their defaults.
Did you try "start now"?
ASKER
That worked!!! Thanks...