by lunarg on June 3rd 2021, at 13:34

When deploying Cylance for the first time in a new environment, best practice is to have it run in "audit mode" where Cylance detects but does not act upon it. Of course, this would not be very secure if you don't have another anti-virus in place. Starting from Windows 10 and Server 2016, Windows Defender is automatically installed and active if no other anti-virus product is installed. However, installing Cylance the regular way would result in Windows detecting the presence of Cylance and disabling most of the functionality of Defender. Luckily, you can workaround the issue by having Cylance not register as an anti-virus with Windows Security Center during the installation (or afterwards). This way, Windows Defender will remain fully active, together with Cylance, making sure that Cylance can be run in "audit mode" and having Defender in place should a legitimate malware be detected.

Register/unregister Cylance with WSC

Installing Cylance without registering it with Windows Security Center can be achieved with an installation parameter. For example, the command-line below would silently install Cylance without registering it with WSC. Notice the REGWSC parameter: set it to 0 to not register.

msiexec.exe /i "CylanceProtect_x64.msi" /qn /norestart /log output.log REGWSC=0

Note that this only works on client systems (i.e. running Windows 10). On Windows Server 2016 and newer, even with this parameter, Defender will remain active. See further down this article to see how to disable Defender on Windows Server 2016 and up when the "audit" period is over and you want to fully activate Cylance and disable Defender.

So, after you've installed Cylance without registering it, you can let it run and weed out the false positives, etc. When the "audit period" is over, you want to activate Cylance and in this regard, you may also want to disable Windows Defender in the process. The recommended way is to register Cylance with Windows Security Center. This will not only disable most of the Windows Defender functionality but will also provide you with alerts through Windows Security Center if there are any problems with your Cylance installation. Rather than reinstalling Cylance, you can simply trigger a registration command to Cylance, which will do the rest.

The registration trigger needs to be run as a user with local administrative privileges. It can also be triggered as an elevated log on task or as a computer startup task (e.g., via GPO):

C:\Program Files\Cylance\Desktop\CylanceSvc.exe /register /enable

The change is immediate. A reboot is not necessary. Also, you only need to run this once (unless, of course, you're on VDI with non-persistent desktops)

If you wish to re-enage Defender (e.g., as a second security layer), you can also unregister a registered Cylance install from Windows Security Center in a similar fashion:

C:\Program Files\Cylance\Desktop\CylanceSvc.exe /unregister

Again, the change is effective immediately. No reboot is required.

Windows Server 2016/2019

As explained before, Server editions (2016 and newer) do not have a Windows Security Center. Therefore, Windows Defender will always be active, even if Cylance is installed and the (un)register triggers will not have any effect. To effectively disable Windows Defender, you will need to disable it via GPO or via registry:

  1. Navigate to the key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
  2. Edit or create a new value: DisableAntiSpyware (REG_DWORD)
  3. Set the value to 1 to disable Windows Defender.

Note that because it's a policy-based change, a reboot is required.