What IVE OS version are you using? have you tried 7.4r1?
Does running Host Checker in compatibility mode and disabling then re-enabling real-time protection in Windows Defender allow the user to login in the current IVE OS version.
I believe this might work now in 2.3.5. As far as I can tell, opswat had made a change that required UAC elevation for Windows Defender, so maybe it's being detected as something else now or it was fixed.
We at OPSWAT are aware that consumption of OESIS Framework updates by Juniper (and other partners) for inclusion in Hostchecker features released to end customers can be painful for Juniper and for its customers.
We are committed to releasing OESIS more frequently (currently weekly, with a goal of daily updates by end of 2014) and to make it easier for Juniper to validate OESIS releases and incorporate into their packages.
In addition, OPSWAT recently released a configurable client, GEARS, which auto-updates OESIS and stores endpoint device compliance status in the Windows Registry or Mac OS p-list.
The Host Checker can access and use this information through implementing either a (1) the default Antivirus Rule or (2) a custom process / registry checks.
A Hostchecker-GEARS configuration guide is posted at http://files.cdn.opswat.com/www.opswat.com/files/g
Using GEARS together with Hostchecker should reduce the number of issues you encounter with your end users being blocked due to their running an unrecognized endpoint security application.