All Products
Search

This Product

    :Issues and recommendations for third-party antivirus software on Windows

    Document Center

    :Issues and recommendations for third-party antivirus software on Windows

    Last Updated:Nov 14, 2025

    This topic describes potential issues and recommendations for using third-party antivirus software on Elastic Compute Service (ECS) instances that run Windows.

    Problem description

    During the operations and maintenance (O&M) of Windows servers, such as ECS instances, you might encounter system exceptions. Examples include application installation failures, operating system activation errors, abnormal disk or network access, blue screens, or system unresponsiveness. Troubleshooting often reveals that these issues are related to third-party antivirus or security software installed on the server, such as 360, Symantec, or Server Security Dog.

    Causes

    Third-party security software requires deep integration into the Windows operating system kernel to provide real-time monitoring for threats such as viruses and Trojans. This integration is typically achieved using kernel drivers (Filter Drivers), which intercept and analyze disk, network, and application requests. This deep system integration is the root of potential problems:

    • Compatibility conflicts: The security software's kernel driver might conflict with Windows system components, other application drivers, or system updates. This can lead to system instability.

    • Permission blocking: The software's protection mechanisms might incorrectly block normal system operations, such as reading or writing to the registry or accessing system files. This can cause software installation or system activation to fail.

    • Difficulty in complete disabling: Selecting "Disable Protection" or "Exit" in the software's interface usually does not uninstall its kernel driver. The driver continues to run in the background and affect system behavior.

    Troubleshooting

    If you suspect that third-party security software is causing a system issue, follow these steps to troubleshoot.

    1. Confirm whether the security software's kernel driver is running

      Even if the software is disabled, you can use the following methods to check if its core driver is loaded.

      • Method 1: Check Device Manager

        1. Open Run (Win+R), enter devmgmt.msc, and press Enter.

        2. In the Device Manager menu bar, click View > Show hidden devices.

        3. Expand the Non-Plug And Play Drivers list.

        4. Check the list for drivers from known third-party security software. For example, NAVENG and NAVEX15 are kernel drivers for Symantec.

      • Method 2: Check System Information

        1. Open Run (Win+R), enter msinfo32.exe, and press Enter.

        2. In the navigation pane on the left, expand Software Environment > System Drivers.

        3. In the list on the right, look for suspicious third-party drivers. For example, NAVENG and NAVEX15 are kernel drivers for Symantec.

    2. Test the issue in an isolated environment

      If the issue disappears in clean boot mode or safe mode, you can be almost certain that a third-party software or service is the cause.

      • Method 1: Perform a clean boot

        This is the recommended troubleshooting method. It starts Windows without loading third-party services and drivers, which helps you quickly identify the problem. For more information, see the official Microsoft document How to perform a clean boot in Windows.

      • Method 2: Enter safe mode Safe mode starts Windows with a minimal set of drivers. For specific steps, see How do I enter safe mode on a Windows instance?.

    3. Completely uninstall the software

      If the preceding steps confirm that the issue is related to the security software, you can resolve the issue using one of the following methods.

      • Upgrade the software. Contact the software vendor to download the latest version of the antivirus software to rule out compatibility issues.

      • Completely uninstall the software. Use the official uninstaller tool provided by the software vendor to ensure all related files and drivers are completely removed. After uninstallation, restart the server and check if the issue is resolved.

    Case studies

    Case 1: .NET Framework installation fails

    • Symptoms: During the installation of .NET Framework 4.0, the process automatically rolls back and eventually fails.

    • Troubleshooting procedure:

      1. The system application log showed a critical error: "Error 1406. Cannot write the value RequiredPrivileges to the registry key \SYSTEM\CurrentControlSet\Services\clr_optimization_v4.0.30319_32. System error. Make sure that you have sufficient permissions to access this registry key...".

      2. Monitoring the installation process with the Process Monitor tool did not reveal any obvious "Access Denied" records.

      3. An attempt to manually create a new key in the registry at the `HKLM\SYSTEM\CurrentControlSet\Services\` path failed. However, the same operation succeeded on a healthy server with an identical configuration.

      4. A comprehensive analysis suggests that although there were no explicit permission error logs, the registry operation was blocked at a low level. This is most likely a kernel-level blocking action.

    • Solution: An inspection revealed that "Server Security Dog" was installed on the server. After the software was completely uninstalled, the .NET Framework installation completed successfully.

    Case 2: Windows system activation fails

    • Problem description:

      • When you run slmgr -ato in the command line to activate Windows, the system returns the error "Product not found".

      • Following Microsoft's official recommendation, running slmgr -rilc to delete temporary sppsvc data results in the error "Error: 0xC0000022".

    • Troubleshooting procedure:

      1. Error code 0xC0000022 is usually related to permission issues. It indicates that an application cannot access a required system component.

      2. Analyzing the logs with Process Monitor again revealed no direct "Access Denied" errors. This suggests that the block occurred at a lower level, likely because a third-party security software incorrectly identified the action as malicious and blocked it.

    • Solution: After uninstalling software such as 360 Security Guard from the server, Windows activation succeeded.

    Core recommendations

    1. Prioritize built-in system protection For Windows Server systems, Windows Defender is the official, built-in, and free protection solution from Microsoft. It offers the best compatibility with the operating system, consumes relatively few resources, and provides basic yet effective security protection.

    2. Choose third-party protection software carefully If your business scenario requires third-party software, follow these principles:

      • Choose the server-specific version: Be sure to select the version designed specifically for server environments, not the personal desktop version.

      • Keep the version up to date: Promptly download and update the software from official channels. New versions usually fix known compatibility issues.

      • Test in stages: Before deploying to a production environment, perform thorough compatibility tests on a test server.

    3. Develop a troubleshooting habit When any unexplained issue occurs on the server, consider recently installed or updated third-party security software as the primary suspect. Troubleshoot the issue by following the steps provided in this topic.