Windows Defender as primary AV?

[Andrew Gresbach1709152664]

We currently use Cylance Protect in our environment and considering dropping and making a change to just use the built in Windows 10 Defender AV.   I had a couple of questions i was hoping someone could help with:

 

1.  any best practices for a citrix and/or app  layering perspective to be aware of and follow for this? (definition updates, periodic scans come to mind specifically how to handle)

2. any reason why this is a bad idea in this type of environment?

[Rob Zylowski]

From our perspective no issues.  Since its an MS product included int the OS you should do the updates in the OS layer.

[Andrew Gresbach1709152664]

thats what i thought.....thanks Rob!  i THINK there are only monthly new definitions that come down via Windows Update so any issue w/ full use layer if one is released before we can get it updated in an OS layer revision?

 

i'd imagine the periodic scans we'd deal w/ via whatever management tool they offer for that product and try and be smart about timing to not cripple performance during the day hey?

[Rob Zylowski]

Youll have to test Andrew unless someone from support knows about any issues i have not heard of any.  Maybe you will have to run periodic repairs to remove the updates from the user layer.

[Andrew Gresbach1709152664]

thats what i figured.....how would i do a repair if that is in the OS layer though?

[Rob Zylowski]

oh Shoot very true you cant

 

You would have to make an app layer with the updates just for removal which seems dangerous.

 

Let me see if Engineering has any recommendations.  You might just have to live with updates in the user layer.

[Andrew Gresbach1709152664]

ya i agree that sounds like it could be messy.  thank you for checking!   i noticed defender is not listed on this site so was curious if there is anything specific for that app specifically too https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html

 

yup thats what i thought which wouldnt be the end of the world i guess.....just possibly could get a mismatch on the non persistent machines depending on if someone is signed in and user layer mounted or not vs what file is on the not in use one