Windows Defender: Disable real time; keep scheduled and on demand scanning
The "Turn off real-time protection" Group Policy setting, located under Computer Configuration\Administrative Templates\Windows Components\Windows Defender should do what you want.
In my system, however, the Antimalware Service Executable keeps spawning (and instantly closes) every 10 seconds or so when this policy is enabled. Very annoying, but still nothing compared to the more general system slow-down caused by scanning every file on your drive over and over again.
Keep an eye out for this related question of mine: How to disable signature-based detection without turning off other protections in Windows Defender. Something of interest might come out.
[Update] Using the above method will result in a log file growing constantly, located in C:\ProgramData\Microsoft\Windows Defender\Support
, called MPLog-<datetime>.log
.
There's a way to prevent this from happening. Just set the following policies to Disabled, instead of the one I first mentioned i.e. leave that untouched:
- Monitor file and program activity on your computer
- Scan all downloaded files and attachments
- Turn on behavior monitoring
- Turn on network protection against exploits of known vulnerabilities *
- Turn on raw volume write notifications *
- Turn on Information Protection Control *
I'd advise against disabling the last 3 items (marked with an *), however. Their impact on performance is also minimum.
These policy settings can be found in the same location as the first one: Computer Configuration\Administrative Templates\Windows Components\Windows Defender
.
Note: Some versions of Windows use the term "Endpoint Protection" instead of "Windows Defender".
If your edition of Windows does not come with the Group Policy Editor, setting some registry entries will do the trick. They are all located under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection
(create this key if it does not exist). Create the following DWORD (32-bit) entries and set them to 1:
- DisableOnAccessProtection
- DisableIOAVProtection
- DisableBehaviorMonitoring
- DisableIntrusionPreventionSystem *
- DisableRawWriteNotification *
- DisableInformationProtectionControl *
Again I recommend against disabling the last 3 items. Leave them as 0, or better yet, do not create entries for them.
A system restart is required after making these changes.
Just for completeness, the Registry entry for the "Turn off real-time protection" policy is called DisableRealtimeMonitoring
.
[Update 2] An addendum: Malwarebytes Anti-Exploit (MBAE) is generally incompatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET). It even says so when installing it on an EMET-protected system. To see for yourself, download mbae-test.exe from here, add it to the list of EMET-protected apps, and try loading it with MBAE enabled.
(However, if you only use EMET to enforce system-wide rules - i.e. DEP and SEHOP - that's fine. It's only when launching an application protected by both solutions that you should expect trouble.)
Starting with the May 2019 Update (version 1903), Windows 10 is introducing Tamper Protection, which is a new feature designed to protect the Windows Security app against unauthorized changes that are not made directly through the experience.
Although this is a welcome addition that adds an extra layer of protection on Windows 10, it can cause some problems when you need to manage security settings through another app or command line tools, such as PowerShell or Command Prompt.
This includes making changes through Group Policy!
Change the Tamper Protection setting
In the search box on the taskbar, type Windows Security and then selct Windows Security in the list of results. In Windows Security, select Virus & threat protection and then under Virus & threat protection settings, select Manage settings. Change the Tamper Protection setting to On or Off.
Then launch Group policy editor and disable abovementioned three services (although I think that scanning downloads is useful and does not impact performance) AND a new setting called Turn on process scanning whenever real-time protection is enabled. Run gpupdate /force from CMD, no need to reboot.
Run Regedit and check if these lines are added into [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001 "DisableIOAVProtection" =dword:00000001
If you do not have acess to GPeditor, create a .reg script containing
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
Enjoy your much faster system. Also I recommend using VThash check utility for much more comprehensive scanning.