Admin Rights Are the Problem, Not Which Antivirus You Choose

There’s been a lot of noise lately on Reddit and other platforms about how “easy” it is to disable Windows Defender ATP. MSPs are getting questions from clients about this concern.

But these discussions are focusing on the wrong issue entirely.

Yes, You Can Disable Defender ATP (But That’s Not the Real Problem)

If you have admin rights on a desktop, turning off the antivirus is really simple. You just open the Windows Security Center and toggle it off.

That’s obviously not ideal, but honestly, it’s the same with any antivirus solution.

What the Discussions Are Missing

Here’s what’s often overlooked in these conversations: any antivirus can be disabled with admin rights. CrowdStrike, SentinelOne, Heimdal, Windows Defender – it doesn’t matter which vendor you’re using.

In any attack scenario, once someone has admin rights on the machine, eventually the attacker can disable whatever protection you’ve got running. This isn’t a Defender problem. This is a privileges problem.

Why Admin Rights Are the Real Attack Target

Look at the recent Marks & Spencer breach. The attackers didn’t succeed because they found a weak antivirus to disable.

They used social engineering tactics to gain user access, then gradually escalated privileges over time.

The attack pattern is always the same:

1. start with a non-elevated user account
2. move laterally through the network
3. compromise accounts with elevated privileges

Once they have admin rights, they can disable security tools, access sensitive data, and deploy ransomware.

Admin rights are what makes every other attack possible. The specific antivirus running becomes a footnote once an attacker has those privileges.

The Solution That Makes the Difference

The solution is straightforward: make sure users don’t have admin rights. Even as the admin or founder, you shouldn’t have those rights yourself.

One of the first things we did when founding Heimdal was to remove my own admin rights.

Why? Because you – the user – are often the biggest risk.

I’m a high-value target as a founder, and if I don’t have elevated privileges, I can’t accidentally (or through social engineering) compromise the entire system.

If you don’t have rights, you can’t disable protection. That’s the whole point.

What Heimdal Actually Does About This

We have tamper detection built into any Heimdal service.

Customers just need to turn it on and configure the appropriate response actions. But here’s the thing – while tamper detection is useful, the real protection comes from proper privilege management.

Our PEDM (Privilege Elevation and Delegation Management) solution addresses the root cause: controlling who has admin rights, when they have them, and for how long.

It’s about stopping the attack chain before the antivirus even becomes a target.

What to Tell Your Clients

When clients bring up concerns about antivirus tampering, redirect them to the real issue:

The problem isn’t your antivirus choice – it’s your privilege management.

Any security tool can be compromised if an attacker gets admin rights. The solution is preventing that access in the first place.

Ask the questions that matter:

• Who in your organization has admin rights right now?
• Why do they need them permanently?
• How would you know if those privileges were being misused?
• What’s your plan when a privileged user gets compromised?

Focus the conversation on admin rights, not antivirus brands.

You could have the most expensive, sophisticated endpoint protection available – but if your users are running with admin privileges, you’re still vulnerable to the exact same tampering scenarios people worry about with Defender.

The Bottom Line: Fix the Admin Rights Problem

The online discussions about antivirus tampering are solving the wrong problem. Debating which security tool is hardest to disable misses the point entirely.

Admin rights are what enable security tool tampering in the first place. 

Remove the unnecessary privileges, and attackers can’t disable your protections – regardless of which antivirus you’re running.

The conversation should be about implementing proper privilege management, monitoring user behavior, and ensuring that even compromised users can’t escalate to system-level control.

That’s what actually prevents tampering – not choosing a different antivirus brand.

Worried about your current privilege management setup? Speak to your distribution partner for a configuration check and see how your clients’ environments really stack up against modern attack vectors.

Morten Kjaersgaard

Chairman and Founder

Morten Kjaersgaard is the Founder and Chairman of Heimdal®, a global leader in AI-powered cybersecurity. Under his leadership, Heimdal has grown from a startup in Copenhagen to a trusted security partner for over 16,000 organizations and more than 2,000 MSPs worldwide, defending against 260+ million cyber threats annually. With a sharp focus on unifying cybersecurity operations, Morten is recognized for his ability to align technical innovation with strategic business outcomes. His insights have shaped how organizations and partners alike approach risk reduction, compliance, and security maturity in an increasingly complex digital world. A respected voice in the industry, Morten frequently shares his expertise at international events and through media commentary—championing a more proactive, collaborative, and scalable model for cybersecurity success.