What I used to do was using Set-MpPreference to add whole drives as exception, but sometimes I would still get alerts : Defender is still running and analyzing my actions. We can’t edit the configuration directly in the registry, even as SYSTEM.There is not option to disable “Tamper Protection” in powershel (that’s the point ….).Now, one thing to note is that the Administrator (meaning members of the BUILTIN\Administrators group) cannot change those keys (only SYSTEM can):Īn even as SYSTEM, with tamper protection off, writing is still not authorized: The “Tamper Protection” is next, using 2 keys: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection (4 when disabled) and HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtectionSource (2 when disabled)Īnd lastly, exclusions are stored in subkeys of HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions depending on their type: (For reference, the key for “Automatic sample submission” is HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSampleConsent) Then the “cloud-delivered protection”, with the key HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting : Then I proceeded to check the keys for each parameter.įirst on the list is the “Real-Time protection”, modifying the key HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring We get a first idea of the configuration location, most interesting keys seems to be under HKLM\SOFTWARE\Microsoft\Windows Defender. I looked for registry access with “Defender” in the path, and this is the result: Procmon, from SysInternals, is a very convenient tool for this kind of research. TL DR : the final script can be found here : Registry configurationįirst, I took some time to look at the registry configuration, where are the parameters located, and how/when the values were changed. I would also add that some alternative working solutions have been added in the comments of this article (many thanks to their writers !) : it’s definitly worth checking. The “general public” might find another, easier to use solution that suit their need better. I made it as a malware analyst, for my usage, and decided to share it to help others.
It aims at disabeling permanently windows defender, even removing its files if you chose to. This script is not intended as a “stop/start” solution.
It finally bothered me enough to take an actual look at how to disable it permanently and reliably, in a fully automated way (a PowerShell script), on my Windows 10 20H2 (build 19042). Once again, after a Windows update, Windows Defender activated itself again.
0 kommentar(er)
