Jump to content

Endpoint Analysis for AV install - excluding Windows Defender

Recommended Posts



I'm having an issue where a customer is wanting to scan incoming connections to ensure the device has anti-virus installed, however, they don't want Windows Defender to be included. As Windows now comes with defender installed anyway, does anyone know of a way i can have EPA scan for AV but exclude Defender in the scans.


My initial thought was to try and ignore Defender, but EPA only passes the ignore after the scan for AV so it passes if only defender is installed. Another thought was to exclude Defender, however as it's installed on all Windows, this then fails the scan even if another AV product is installed.


Any help is appreciated.

Link to comment
Share on other sites

  • 3 years later...

Hi Olly,


I'm struggling to find documentation on this. I have a scan for Symantec (ANTIVIR_240_538_VERSION) but I am getting EPA scan failures for Windows Defender (ANTIVIR_90_362). I do not have a Windows Defender EPA scan defined on the NetScaler and Windows Defender is not running on our builds.


Is Windows Defender a mandatory requirement on the endpoint for running further vendor AV scans or something?


Sorry for the 4 year old reply, can't find anything else out there on this other than your post.

Link to comment
Share on other sites

Hello Olly,


Yes that's right, it's giving me Windows Defender messages even though I'm not checking for it.


CLIENT.APPLICATION('ANTIVIR_240_538_VERSION_<=_14.2_VIRDEF-FILE-TIME_<=_10080[COMMENT: Symantec Endpoint Protection]') EXISTS


The issue is it seems to be intermittent, the majority of the time it's working fine, just occasionally the EPA check fails on the same build of laptop, so it's difficult to monitor the policies as you suggest when it's going wrong.



Link to comment
Share on other sites

That looks correct to me...I assume you've upgraded to the latest build of NS? 


As it's intermittent, you may want to check which policy is being hit. Within an ssh session (putty), run the following command:


nsconmsg -d current -g pol_hits


Then test logon and see what that command comes back with. The policy at the bottom will be the one that is being applied, so make sure this is the one with your AV expression.


Out of interest, when are you running EPA scans? Pre-authentication? Against a AAA Group/User? Against a session policy? Within a session profile security settings?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...