PanicStation.org
UK USA
uk Technology & digital loss antivirus turned off • security app disabled • windows security disabled • microsoft defender off • mac security turned off • phone security disabled • sudden antivirus deactivated • security settings changed • possible malware infection • suspicious device behaviour • hacked device worry • can’t turn antivirus back on • antivirus keeps turning off • endpoint protection stopped • unusual admin changes • unknown profile installed • security alerts missing • accounts may be compromised • ransomware early signs

What to do if…
your antivirus or security app is suddenly disabled and you did not change it

Short answer

Pause and assume the device may be compromised: disconnect it from the internet (Wi-Fi/mobile/ethernet) and stop signing into accounts on it until you’ve checked things from a safer device.

Do not do these things

  • Don’t keep using the device for banking, email, password managers, or work logins “just quickly”.
  • Don’t download “fix tools” from pop-ups, ads, or random search results.
  • Don’t keep toggling the antivirus on/off while you’re still online if it immediately switches off again.
  • Don’t plug in external drives/backups “to scan them” until you’re confident the device is clean.
  • Don’t wipe the device yet if this involves work systems or you may need evidence of what happened.
  • Don’t click around “to investigate”. If you want a record, capture only what’s already visible; if unsure, take a photo of the screen with another device.

What to do now

  1. Disconnect the device from all networks.
    Turn off Wi-Fi and Bluetooth, unplug ethernet, and if it’s a phone/tablet switch on airplane mode. If you can’t reliably disconnect (or you’re seeing extortion/ransomware-style behaviour), power it down.

  2. Write down what you saw (2 minutes, no deep digging).
    Note the time/date, the exact security product name, any messages, and what changed (for example: “real-time protection off”, “tamper protection off”, “app missing”). If it’s already on-screen, take a photo/screenshot without clicking further.

  3. From a different, trusted device, secure your most important accounts.
    Start with email, Apple/Google/Microsoft account, banking, and work accounts.

    • Change passwords from the trusted device, and enable 2-step verification if it isn’t already.
    • If you reuse passwords, change the reused ones first.
    • If your email is the “reset” for everything else, secure it before anything.

  4. Check for simple causes (only if you can do it offline).
    Sometimes one security product disables another, or updates reset settings. Look for:

    • A newly installed antivirus/security suite you didn’t choose.
    • A “work/school” or device-management profile you don’t recognise (especially on laptops/phones).
      If anything looks unfamiliar, don’t remove it blindly—just note it.

  5. Run an offline scan before reconnecting (if available).
    If you’re on Windows, use Microsoft Defender Offline scan (it restarts into a recovery environment to scan). If you use third-party security software, use its official offline/boot scan option if it has one.

  6. Only after containment: update, then run a full scan.
    If you must reconnect briefly, do it on a known-good network only long enough to update the operating system and security tools, then run a full scan. Disconnect again if anything re-disables.

  7. If it still won’t stay enabled: isolate and escalate.

    • For a personal device: keep it isolated and plan for professional help or a clean reinstall after accounts are secured.
    • For a work/school device: stop and contact your IT/helpdesk/security team. Don’t attempt a “factory reset” unless they tell you to.

  8. If money, personal data, or accounts may be involved, report it.

    • If you’re in England, Wales, or Northern Ireland, report cyber crime/fraud via Report Fraud / Action Fraud using a different device.
    • If you’re in Scotland, contact Police Scotland (999 emergency / 101 non-emergency).
    • If bank details may be exposed, contact your bank using the number on your card/app (not one from an email/text).

What can wait

  • You don’t need to decide right now whether to reinstall the whole device—first isolate it and secure key accounts.
  • You don’t need to identify “which malware it is” today.
  • You don’t need to reply to any threatening messages or pay anything today (if extortion/ransomware appears, keep the device offline and focus on containment and reporting).

Important reassurance

A security app switching off unexpectedly can happen for non-malicious reasons (updates, conflicts, expired licences), but treating it as a potential compromise at first is a sensible way to prevent the worst outcomes. You’re not overreacting by disconnecting and slowing down.

Scope note

This is first-steps guidance to stabilise the situation and reduce harm. Later steps (reinstalling, restoring backups, deeper investigation) depend on whether this is a personal device, a work-managed device, or part of a wider incident.

Important note

This is general information, not professional security or legal advice. If the device is used for work, healthcare, finances, or holds sensitive personal data, involve the relevant IT/security support early and avoid making changes that could destroy useful evidence.

Additional Resources
Support us