Microsoft Defender AV must be configured to process scanning when real-time protection is enabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-213447 | SRG-APP-000278 | WNDF-AV-000023 | SV-213447r1190721_rule | 2026-02-17 | 2 |
Description
This policy setting allows the configuration of process scanning when real-time protection is turned on. This helps to catch malware, which could start when real-time protection is turned off. If this setting is enabled or not configured, a process scan will be initiated when real-time protection is turned on. If this setting is disabled, a process scan will not be initiated when real-time protection is turned on.
ℹ️ Check
Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> "Turn on process scanning whenever real-time protection is enabled" is set to "Enabled" or "Not Configured".
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
Criteria: If the value "DisableScanOnRealtimeEnable" is REG_DWORD = 0, this is not a finding.
If the value does not exist, this is not a finding.
If the value is 1, this is a finding.
✔️ Fix
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> "Turn on process scanning whenever real-time protection is enabled" to "Enabled" or "Not Configured".