Windows Defender: Disable real time; keep scheduled and on demand scanning
The "Turn off real-time protection" Group Policy setting, located under Computer Configuration\Administrative Templates\Windows Components\Windows Defender should do what you want.
In my system, however, the Antimalware Service Executable keeps spawning (and instantly closes) every 10 seconds or so when this policy is enabled. Very annoying, but still nothing compared to the more general system slow-down caused by scanning every file on your drive over and over again.
Keep an eye out for this related question of mine: How to disable signature-based detection without turning off other protections in Windows Defender. Something of interest might come out.
[Update] Using the above method will result in a log file growing constantly, located in C:\ProgramData\Microsoft\Windows Defender\Support
, called MPLog-<datetime>.log
.
There's a way to prevent this from happening. Just set the following policies to Disabled, instead of the one I first mentioned i.e. leave that untouched:
- Monitor file and program activity on your computer
- Scan all downloaded files and attachments
- Turn on behavior monitoring
- Turn on network protection against exploits of known vulnerabilities *
- Turn on raw volume write notifications *
- Turn on Information Protection Control *
I'd advise against disabling the last 3 items (marked with an *), however. Their impact on performance is also minimum.
These policy settings can be found in the same location as the first one: Computer Configuration\Administrative Templates\Windows Components\Windows Defender
.
Note: Some versions of Windows use the term "Endpoint Protection" instead of "Windows Defender".
If your edition of Windows does not come with the Group Policy Editor, setting some registry entries will do the trick. They are all located under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection
(create this key if it does not exist). Create the following DWORD (32-bit) entries and set them to 1:
- DisableOnAccessProtection
- DisableIOAVProtection
- DisableBehaviorMonitoring
- DisableIntrusionPreventionSystem *
- DisableRawWriteNotification *
- DisableInformationProtectionControl *
Again I recommend against disabling the last 3 items. Leave them as 0, or better yet, do not create entries for them.
A system restart is required after making these changes.
Just for completeness, the Registry entry for the "Turn off real-time protection" policy is called DisableRealtimeMonitoring
.
[Update 2] An addendum: Malwarebytes Anti-Exploit (MBAE) is generally incompatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET). It even says so when installing it on an EMET-protected system. To see for yourself, download mbae-test.exe from here, add it to the list of EMET-protected apps, and try loading it with MBAE enabled.
(However, if you only use EMET to enforce system-wide rules - i.e. DEP and SEHOP - that's fine. It's only when launching an application protected by both solutions that you should expect trouble.)