https://twitter.com/AmitaiTechie/status/1217156973268893696
Of course, that relies on not having Defender disabled by an alternate product.
https://docs.microsoft.com/en-us/windows/security/threat-pro...
> In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
https://support.symantec.com/us/en/article.tech237177.html
Or Mcafee:
https://kc.mcafee.com/corporate/index?page=content&id=KB8245... (search for DisableRealtimeMonitoring)
For a deeper dive: I ran into issues on a security assessment trying to run procdump on lsass being blocked by Defender. Workaround.. was to find a machine with McAfee installed where that behavior was allowed.
https://docs.microsoft.com/en-us/windows/security/threat-pro...
> In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.