Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later (perhaps some timer, perhaps due to some update if you forgot to turn those off).
For the vast majority of people this is a good thing!
If they want to do research they probably prefer no AV. That said there are some no-op AV's that are specifically for tricking defender to shut off and not actually do anything
I was just wondering if a no-op AV might work! But I thought perhaps not, as I thought Microsoft insisted on AVs running as PP/PPL (Protected Process / Protected Process Light), which isn't realistic for OSS.
Are you able to point to one please? Would love to try it and see if it works!
Yes. Current versions of Defender won’t disable scanning even if another anti virus is installed. At most, it will stop reporting infections. The CPU overhead however cannot be avoided by normal means.
Microsoft Dev Drive exists purely as a workaround to this self-imposed problem.
I've never seen Defender re-enable itself, provided that tamper detection is turned off in addition to the other stuff (in group policy and whatnot). Have you made sure to do that? And are you on 10 or 11?
Weird. I wonder why I don't see this on my Windows 10 machine. It's possible I've done something else that prevents it from running that I'm now forgetting, I don't recall. But I do see that I have something like 6 group policy settings modified, it's not just one or two.
Have you tried disabling the service & driver (WinDefend)?
If I'm understanding this then the WSC API calls are being used by the included Avast EXE and DLL (which, presumably, are Avast "IP" and protected by copyright).
Has anybody done reverse engineering work on the WSC API itself?
You dont need to, you can bypass it anyways through win32 function call redirection and a dozen other methods.
Antivirus's are trash, they are a mitigation that exists when the operating system does not have proper security measures in the first place. This is why Windows must ship with an AV, and everyone else laughs.
Uh, oh, that means you're working on an admin account. If you are using a normal user account, you will be prompted to enter your admin credentials instead.
(You can also force this behaviour on administrator accounts. Search for the registry setting "ConsentPromptBehaviorAdmin")
On Windows installs the default user created in a home/pro install is an admin and it never prompts the user to go create a non-admin account for daily use. This actually makes perfect sense in itself (beyond the behavior defaults you mention being backwards).
Not even close to "as active". Defender will scan everything, even windows own updates. It is the reason why Windows machines perform poorly and why battery life is a joke on that platform. It's intrusive and doesn't care much about resource use.
My preferred way of disabling Windows Defender is to boot Linux, mount windows partition and rename windows defender directories to *.disabled or whatever.
In my first attempt I've actually deleted the directories altogether but later wanted to scan a system manually and I couldn't repair the installation and get WD to run again.
What's happening here is when you boot to something else other than the Windows residing on your main NTFS volume, then your main Windows volume is inactive (its system files are not the ones running) so all those Windows files & folders are dormant, just like any other storage medium. So you can edit the filenames without them being in use at the time, and without your normal Windows processes interfering with the deed.
With Linux you have to be able to access the Windows files for this, and for years now Linux has been able to read & write to the NTFS filesystem decently.
In the Linux example this "disables" the entire Windows Defender folder and everything in it.
In addition to that however, contained in the WinSxS folder you can find some stragglers.
I'll add the belt & suspenders non-Linux equivalent for an up-to-date W11 pro system:
Boot to the Windows startup USB device, you will not select "Install Now" because that is not what is wanted at all. Instead click "Repair" my computer and progress to troubleshooting and the command prompt. This way the terminal CMD window is from a version of "MININT" running straight from a ramdisk in memory, identified as volume X:.
If you need a scratch pad type in "notepad" and it will pop up. Now you have access to your filesystem in "DOS" with a mouse if you need it.
For this disablement, keyboard can be enough in the CMD window, without having to paste lines from a more complex script opened as a text file in notepad. For manual typing though you'd have to type in each of the Rename commands one character at at time with perfection. So you'd probably like the pasting from prefabricated text files more likely.
All your regular Windows folders & files will still be on your main drive, and it will almost always still be identified as C:. Those files are just sitting there dormant and you are like the Trusted Installer, looking down from your perch on X:\.
You may already be just as powerful as Linux now.
Now this just disables the antivirus executable, not the entire folder (the firewall can be controlled from the GUI, but it's not the processor-hog the antivirus is). This is not for PC's in contact with the internet ! :
This second disablement can be the variable one, you need to look in the WinSxS folder in advance while Windows was still running in order to check the "x" values above for your particular build before you would know your particular exact complete WinSxS sub-foldernames. The publickeytoken of 31bf3856ad364e35 may also be subject to change in the future.
Or you can even browse for the target folder in Notepad and rename the file right there using notepad without even typing any commands into the CLI. Even though it would do no good to "open" the executable in notepad, start going through the motions as if you were going to open the EXE file, and you can at least change the name through notepad's limited open/save GUI interface.
If using the correct foldernames, type or paste those two commands into the terminal (one at a time, this is not powershell) and the target executables will be instantly renamed.
When you reboot to your regular Windows, it will not be able to find the msmpeng.exe file when it wants to run it after that. So no Windows antivirus running.
But it hasn't gone away, you can always rename it back to an EXE when you do need it later on.
Based on those two Rename commands you could also reverse the "manual" renaming procedure and effectively toggle the activity o...
Windows also contains 3 drivers loaded during boot, all starting with wd*, especially wdboot.sys. If they are loaded, some paths to defender and registry keys are blocked. I always remove them from the custom ISO I use to install windows using dism.exe.
You can also reboot into safe mode and rename them. After that, chipping away at defender using takeownership etc. works.
If you just rename the folders, those drivers are probably still active
Is there a convenient "awesome red team" list on GitHub somewhere that collects these one-off repos and stays updated if they're eventually mitigated?
I happened to stumble across a new repo demonstratng UAC bypass by sending keys to Task Manager as well as something for AMSI (Antimalware Scan Interface): https://github.com/cybersectroll
46 comments
[ 4.5 ms ] story [ 99.7 ms ] threadFor the vast majority of people this is a good thing!
Are you able to point to one please? Would love to try it and see if it works!
Microsoft Dev Drive exists purely as a workaround to this self-imposed problem.
Probably caused by feature updates. I have it disabled on LTSC and it hasn't reenabled itself in years.
Have you tried disabling the service & driver (WinDefend)?
Has anybody done reverse engineering work on the WSC API itself?
I am using simple wall, but with that Windows complains about a disabled firewall. Registering simple wall as a firewall with windows would be nice.
Antivirus's are trash, they are a mitigation that exists when the operating system does not have proper security measures in the first place. This is why Windows must ship with an AV, and everyone else laughs.
> everyone else laughs
Meanwhile:
Unless you are saying that those who type into the terminal will first |echo the script into a file, verify it, then run?
Uh, oh, that means you're working on an admin account. If you are using a normal user account, you will be prompted to enter your admin credentials instead.
(You can also force this behaviour on administrator accounts. Search for the registry setting "ConsentPromptBehaviorAdmin")
[0] https://www.apple.com/business/docs/site/AAW_Platform_Securi...
[1] https://arstechnica.com/gadgets/2022/08/apple-quietly-revamp...
Example (assuming it is mounted at /mnt/ntfs):
mv "/mnt/ntfs/Program Files/Windows Defender" "/mnt/ntfs/Program Files/Windows Defender.disabled"
mv "/mnt/ntfs/Program Files (x86)/Windows Defender" "/mnt/ntfs/Program Files (x86)/Windows Defender.disabled"
mv "/mnt/ntfs/ProgramData/Microsoft/Windows Defender" "/mnt/ntfs/ProgramData/Microsoft/Windows Defender.disabled"
Antivirus service fails to start and that's about it, no other side effects.
To revert just rename back.
I have dual boot set up, but I believe the Ubuntu USB install image supports NTFS.
In my first attempt I've actually deleted the directories altogether but later wanted to scan a system manually and I couldn't repair the installation and get WD to run again.
My Windows kung-fu is rusty these days so the Linux method seemed neater.
With Linux you have to be able to access the Windows files for this, and for years now Linux has been able to read & write to the NTFS filesystem decently.
In the Linux example this "disables" the entire Windows Defender folder and everything in it.
In addition to that however, contained in the WinSxS folder you can find some stragglers.
I'll add the belt & suspenders non-Linux equivalent for an up-to-date W11 pro system:
Boot to the Windows startup USB device, you will not select "Install Now" because that is not what is wanted at all. Instead click "Repair" my computer and progress to troubleshooting and the command prompt. This way the terminal CMD window is from a version of "MININT" running straight from a ramdisk in memory, identified as volume X:.
If you need a scratch pad type in "notepad" and it will pop up. Now you have access to your filesystem in "DOS" with a mouse if you need it.
For this disablement, keyboard can be enough in the CMD window, without having to paste lines from a more complex script opened as a text file in notepad. For manual typing though you'd have to type in each of the Rename commands one character at at time with perfection. So you'd probably like the pasting from prefabricated text files more likely.
All your regular Windows folders & files will still be on your main drive, and it will almost always still be identified as C:. Those files are just sitting there dormant and you are like the Trusted Installer, looking down from your perch on X:\.
You may already be just as powerful as Linux now.
Now this just disables the antivirus executable, not the entire folder (the firewall can be controlled from the GUI, but it's not the processor-hog the antivirus is). This is not for PC's in contact with the internet ! :
Rename "c:\program files\windows defender\msmpeng.exe" "c:\program files\windows defender\msmpeng.OFF"
Rename "c:\windows\winsxs\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22xxx.xxxx_none_xxxx....xx\msmpeng.exe" "c:\windows\winsxs\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22xxx.xxxx_none_xxxx....xx\msmpeng.OFF"
This second disablement can be the variable one, you need to look in the WinSxS folder in advance while Windows was still running in order to check the "x" values above for your particular build before you would know your particular exact complete WinSxS sub-foldernames. The publickeytoken of 31bf3856ad364e35 may also be subject to change in the future.
Or you can even browse for the target folder in Notepad and rename the file right there using notepad without even typing any commands into the CLI. Even though it would do no good to "open" the executable in notepad, start going through the motions as if you were going to open the EXE file, and you can at least change the name through notepad's limited open/save GUI interface.
If using the correct foldernames, type or paste those two commands into the terminal (one at a time, this is not powershell) and the target executables will be instantly renamed.
When you reboot to your regular Windows, it will not be able to find the msmpeng.exe file when it wants to run it after that. So no Windows antivirus running.
But it hasn't gone away, you can always rename it back to an EXE when you do need it later on.
Based on those two Rename commands you could also reverse the "manual" renaming procedure and effectively toggle the activity o...
If you just rename the folders, those drivers are probably still active
I happened to stumble across a new repo demonstratng UAC bypass by sending keys to Task Manager as well as something for AMSI (Antimalware Scan Interface): https://github.com/cybersectroll
https://github.com/rmusser01/Infosec_Reference
Staying updated is almost a full-time job, I was hoping someone else was already sharing their efforts to do so.