Antivirus solution compatibility with Microsoft Defender for Endpoint

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR

Want to experience Defender for Endpoint? Sign up for a free trial.

The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning.

For optimal protection, configure the following settings for devices that are onboarded to Defender for Endpoint, whether Microsoft Defender Antivirus is the active antimalware solution or not:

• Security intelligence updates (which also updates the scan engine)
• Platform updates

For more information, see Manage Microsoft Defender Antivirus updates and apply baselines.

If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft Defender Antivirus goes into passive mode. In this scenario, Microsoft Defender Antivirus continues to receive updates, and the msmpeng.exe process is listed as a running a service. But, it doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and doesn't replace the running non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use Microsoft Defender Antivirus to perform on-demand scans or configure most options such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access, and so forth.

For more information, see the Microsoft Defender Antivirus and Defender for Endpoint compatibility topic.