Windows – How to disable (signature-based) real-time scanning and leave behavior monitoring enabled in Windows Defender

anti-virusgroup-policywindows 10windows-defender

I believe that Windows Defender included in Windows 10 implements some forms of protection other than signature-based threat detection. Two Group Policy settings indicates this: "Turn on behavior monitoring" and "Monitor file and program activity on your computer".

Since I really dislike signature based-detection (and employ a really strict policy for threat mitigation instead), it's of my best interest to disable real-time file scanning in my Windows 10 system, but without turning off real-time protection entirely. Can it be done?

There's a policy setting called "Turn off real-time protection", but judging by it's name, I'm afraid it disables the other components. There's also "Scan all downloaded files and attachments", which I tried setting to Disabled, but doesn't seem to work (browsing through files and plugging external drives still triggers file scanning).


Best Answer

Found the answer myself (more details here). Basically, it's as simple as setting the Group Policy called Monitor file and program activity on your computer to Disabled.

For users of Windows editions without gpedit.msc, a DWORD entry called DisableOnAccessProtection must be created under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection and set to 1.

The name of this registry entry tells you exactly what "Monitor file and program activity" actually do: It scans files "On Access" (such as when Windows Explorer lists the contents of a directory). Nothing more.