cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Hi All,

I am about to deploy Check Point Endpoint Security client 80.30 with Antimalware Engine 2 (E2) on a number of Windows Server 2019 and 2016 Hyper-V Guest VMs and at least 1 bare metal server.

As of yet, I have not heard what the official installation procedure should be considering the content of this Knowledgebase article, which indicates that Server 2019 no longer plays nice by disabling it's internal antivirus and firewall components when 3rd party security clients are installed.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The SK mentions that you must disable Windows Defender Antivirus and Firewall BEFORE installing the CPEP client,

I had not seen or heard of this behavior before installing CPEP on a windows server 2019 VM hosting our Blackberry UEM MDM platform, so CPEP went in on top of the MS components. I have since only disabled the Windows Defender Firewall for just "domain" network profile for that VM.) 

The SK also mentions that this can be done "via GPO" but does not cover how. (caveat, I have yet to, but will fully read through the whole admin guide and whatever other documentation I can find for the latest releases of CPEP to see if it is covered there and will report back if I have a definitive answer) 

With that said,

The following Microsoft post:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windo...

Which suggests that a registry edit will make WD AV go "passive" is enough,

Is somewhat in conflict with this Microsoft post

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windo...

Which somewhat ambiguously seems to state that you can uninstall windows defender completely using the add remove roles and features Wizard, after suggesting earlier in the post that removing the feature components only removes the user interface.

All very confusing.

Anyway, would anyone from Check Point proper like to suggest the specific steps one should take if we intend to deploy CPEP to even a newly built Windows 2016 or 2019 server with nothing but the OS installed yet?

What would be the GPO to which the SK refers?

Should we be uninstalling the whole feature as described in the second Microsoft link?

Also, regarding the aforementioned Blackberry UEM server: I deployed the client while actually working with CP support on a Zoom remote support session. I happened to notice that windows firewall was still running during the same remote session; I was told at that stage that the wscsvc service was removed in the OS and this is Microsoft's doing and by their design. At the end of the day I am therefore at a disadvantage in the case of this specific production server if I was supposed to turn off Windows Defender Anti-Malware BEFORE installing CPEP.

So, a specific question, did I break anything by having installed CPEP on a windows Server 2019 machine before "turning off" Windows Defender Anti-Malware? I would assume not if the TAC engineer did not indicate this, but I want to be sure. Once I know what the correct "turn off" method is for Defender per CP, I just hope there is nothing I need to worry about having done things in the wrong order.

I would be interested to hear anyone's experiences with CPEP and Windows Server 2016 / 2019 and whether you noticed any issues, or whether you realized that Windows Defender components were still running.

Thanks!

Chris.

EDIT:

This is Microsoft's Antivirus and antimalware software: FAQ for reference:

https://support.microsoft.com/en-us/help/4466972/windows-10-antivirus-and-antimalware-software-faq#m...

 

0 Kudos
11 Replies
Employee+
Employee+

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Hello Chris,

You should uninstall Windows Defender on windows server 2016+,

This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine.

 

See instruction here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windo...

 

Using group policy: https://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/

 

Thanks

0 Kudos
Employee+
Employee+

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

I have also updated sk162735 with instructions for Windows Server 2016 and up.
The changes will be visible from tomorrow (28.10.19).
0 Kudos

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

The GPO does not address Windows Defender Firewall, as far as I can see.

I will do further testing to confirm.

If this is the case, then it seems the manual removal of the Windows Defender Feature is required if you are deploying Check Point Endpoint client's Firewall blade as well as Anti-Malware.

 

 

0 Kudos

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Yes, confirmed that Windows Defender Firewall is not disabled using the aforementioned GPO method.

 

Further, when I look at the Group Policy Management console from a fully updated Windows 10 Pro PC in the domain, there are a number of components to deal with.

I really want to make sure I do things right the first time. 

What do you suggest I disable? 

I have not tried removing the Windows Defender Feature yet. I will try that now, but if there is a best practice way of disabling any Windows based security client components that might interfere with any of the full set of CPEP blades (via GPO) I would like to know. 

 
0 Kudos

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Windows10GroupPolicyConsole.JPG

0 Kudos

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

I would rather do this together with TAC !

0 Kudos

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

G_W, Absolutely.

Kiril is actually the technology leader for the Endpoint product line, I have been working with him on another Endpoint concern, and I hope to hear back from him again today.

Kiril has been awesome to work with, I will hopefully get a definitive answer so I can add it to my "runbook" of deployment procedures for new / reimaged PCs.

 

0 Kudos
Employee+
Employee+

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Disabling Windows Defender Anti-Malware and Windows Defender Firewall is needed for Windows Server 2016/2019 machines only, if you plan to install Endpoint Security client on it with Anti-Malware and Firewall Blades.

 

I have added links to Microsoft instructions on disabling these two components for Windows Servers 2016\2019 for SK159373 and SK162735.

 

Reference to GPO was removed.

If you wish to mass disable Windows Defender Firewall\uninstall Windows Defender Anti-Malware - Powershell scripts can be used from the instructions above for all Windows Servers 2016\2019. The scripts can be applied via GPO.

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Thanks for the update Kiril!

Does this mean that Windows 10 will disable Windows Defender Firewall and Windows Defender Anti Malware automatically when the CPEP client is installed with FW and AM blades enabled?

 

0 Kudos
Employee+
Employee+

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Yes, on Windows 10 machines, in case Endpoint Security Firewall or\and Endpoint Security Anti-Malware blades are installed - Windows Defender (AV) or\and Firewall will be turned off (this is done with wscsvc (Windows Security Service) service that must be running, which is absent in Windows Server 2016 and 2019, as per Solution section in SK159373 mentioned above).

0 Kudos

Re: Official CP Endpoint Install / Windows Server 2019 Defender AV / Firewall disable procedure?

Great that's all I need to know to start deploying workstations!

 

0 Kudos