Thanks for your reply.
Sorry I wasn't able to express myself better.
- I suppose that the sample being submitted was just suspicious, not malicious, but obviously I'm keeping an eye out for further AV updates
- considering the event just an example, what I was missing is that Elastic LOOKS for such events and integrates them into the alerts it shows
The rationale is clear, Elastic can be configured to monitor or to prevent intrusions. For the simplistic case, assume 'prevent' is toggled off, elastic is set to not be the primary AV registered in MS security center. Both of which are available settings.
Would you expect it to stay unaware of any intervention the main AV undertakes? if it's monitoring the system, why would it ignore such a major information source? Would you not rather expect it to do the optimum for each selectable choice?
yes, the other solution is responsible to do its job, but if you consider a hierachical value of information sources, you have top and lower tier sources.
information trust
top tier
- what elastic's kernel module saw in syscalls etc.
- in the case that it's not the prime AV system, events from the other should also be roughly on that level, albeit maybe lower since it is foreign information and something foreign will need to have less trust or undergo less processing, to not allow for exploitation.
medium tier
- things like security audit logs
- things like process events
- things like normal event logs
- already quite risky things like, i dunno, osquery, wmi data etc.
lowest tier
-untrusted things that came over integrity monitored channels like com or whatever stuff windows does.
- things like windows event forwarding received data from remote sources where you can just validate the integrity of your read of the data, but not anything that relates to the sender.
logic problem
the 'other' defender works
if you got a defender for enterprise setup, elastic agent knows how to ingest the logs and events via an integration.
I think there ought to be either a second integration, or it just be handled by the normal windows agent integration.
it is the DEFAULT setup
i'm in favor of thinking it needs to be part of the standard windows integration since the stock MS defender doesn't go away (hopefully it's disabled in enterprise context next to Elastic, but if you look at the actual stock windows setup you WOULD find defender and Elastic would nomally run in parallel during eval etc.
it extends into multiple parts of windows AV
I think in that scenario it should already work as well as possible, and also log submissions to MS MAPS and such things.
I hope now I was better to understand 
It's not a very important thing for me, I just try to notice issues in my env that is mostly for testing rather than be asked about them by clients a year later in an env that matters.
race doesn't matter, but information does matter
Oh and finally, the race between AV products is not super applicable for this example. Elastic had a chance to catch the file when it was downloaded, maybe it just didn't create a false positive, or maybe it didn't have an IOC signature. I do not know. It might have caught the file later, but meh. It's not worth to track that down at this stage. We can and should assume it would have reacted if the browser had been hijacked and launched a cmd.exe or something.
On that end I consider the reaction completely OK for an EDR.
My issue is with ignoring high-value threat info.
ill-chosen examples
the medieval one
Imagine you got two guards watching a town gate. It's good if there's always who one sends away an intruder. But if the other one would tell you he knows nothing about that because his job is to guard the door, and not to watch what the other guy does - would you pay him that week? it becomes very thin argumentative ice whether he was even doing his job if he's not aware what happened.
the modern warfare one
If you want to watch a hillarious video about the result of thinking like that, look on youtube for the video on why the british SAS soldiers were banned from US bases. They constantly just walked in by exploiting that people followed 'procedures' instead of being on guard.
100% human
all bad examples were written by hand. I just added formatting so the lists look less loaded.