Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later (perhaps some timer, perhaps due to some update if you forgot to turn those off).

For the vast majority of people this is a good thing!

ToggleDefender (https://github.com/AveYo/LeanAndMean/blob/main/ToggleDefende...) still works to this day!

No offense to the author, but was this deliberately written to hard to read? Or does all PS look like this?

>it will randomly reenable itself weeks later (perhaps some timer, perhaps due to some update if you forgot to turn those off).

Probably caused by feature updates. I have it disabled on LTSC and it hasn't reenabled itself in years.

I've never seen Defender re-enable itself, provided that tamper detection is turned off in addition to the other stuff (in group policy and whatnot). Have you made sure to do that? And are you on 10 or 11?

Not op but yes, without tamper protection and disabled via group policy it reenables itself anyways. Seen it in both 10 and 11.

Weird. I wonder why I don't see this on my Windows 10 machine. It's possible I've done something else that prevents it from running that I'm now forgetting, I don't recall. But I do see that I have something like 6 group policy settings modified, it's not just one or two.

Have you tried disabling the service & driver (WinDefend)?

If you are in insider builds, it happens weekly once a new update arrives.

Easiest way to disable defender was to install another anti virus. Did this change?

If they want to do research they probably prefer no AV. That said there are some no-op AV's that are specifically for tricking defender to shut off and not actually do anything

I was just wondering if a no-op AV might work! But I thought perhaps not, as I thought Microsoft insisted on AVs running as PP/PPL (Protected Process / Protected Process Light), which isn't realistic for OSS.

Are you able to point to one please? Would love to try it and see if it works!

Isn't this what this post is about?

Ach, I think you're right, that looks to be what they're doing.

Yes. Current versions of Defender won’t disable scanning even if another anti virus is installed. At most, it will stop reporting infections. The CPU overhead however cannot be avoided by normal means.

Microsoft Dev Drive exists purely as a workaround to this self-imposed problem.

My preferred way of disabling Windows Defender is to boot Linux, mount windows partition and rename windows defender directories to *.disabled or whatever.

Example (assuming it is mounted at /mnt/ntfs):

mv "/mnt/ntfs/Program Files/Windows Defender" "/mnt/ntfs/Program Files/Windows Defender.disabled"

mv "/mnt/ntfs/Program Files (x86)/Windows Defender" "/mnt/ntfs/Program Files (x86)/Windows Defender.disabled"

mv "/mnt/ntfs/ProgramData/Microsoft/Windows Defender" "/mnt/ntfs/ProgramData/Microsoft/Windows Defender.disabled"

Antivirus service fails to start and that's about it, no other side effects.

To revert just rename back.

I have dual boot set up, but I believe the Ubuntu USB install image supports NTFS.

Windows also contains 3 drivers loaded during boot, all starting with wd*, especially wdboot.sys. If they are loaded, some paths to defender and registry keys are blocked. I always remove them from the custom ISO I use to install windows using dism.exe. You can also reboot into safe mode and rename them. After that, chipping away at defender using takeownership etc. works.

If you just rename the folders, those drivers are probably still active

Wouldn't windows' repair mechanism (dism/sfc) autofix this eventually?

Apparently not.

In my first attempt I've actually deleted the directories altogether but later wanted to scan a system manually and I couldn't repair the installation and get WD to run again.

Is there a reason this doesn't work from windows itself?

I've tried once but windows tries really hard not to let you do that.

My Windows kung-fu is rusty these days so the Linux method seemed neater.

What's happening here is when you boot to something else other than the Windows residing on your main NTFS volume, then your main Windows volume is inactive (its system files are not the ones running) so all those Windows files & folders are dormant, just like any other storage medium. So you can edit the filenames without them being in use at the time, and without your normal Windows processes interfering with the deed.

With Linux you have to be able to access the Windows files for this, and for years now Linux has been able to read & write to the NTFS filesystem decently.

In the Linux example this "disables" the entire Windows Defender folder and everything in it.

In addition to that however, contained in the WinSxS folder you can find some stragglers.

I'll add the belt & suspenders non-Linux equivalent for an up-to-date W11 pro system:

Boot to the Windows startup USB device, you will not select "Install Now" because that is not what is wanted at all. Instead click "Repair" my computer and progress to troubleshooting and the command prompt. This way the terminal CMD window is from a version of "MININT" running straight from a ramdisk in memory, identified as volume X:.

If you need a scratch pad type in "notepad" and it will pop up. Now you have access to your filesystem in "DOS" with a mouse if you need it.

For this disablement, keyboard can be enough in the CMD window, without having to paste lines from a more complex script opened as a text file in notepad. For manual typing though you'd have to type in each of the Rename commands one character at at time with perfection. So you'd probably like the pasting from prefabricated text files more likely.

All your regular Windows folders & files will still be on your main drive, and it will almost always still be identified as C:. Those files are just sitting there dormant and you are like the Trusted Installer, looking down from your perch on X:\.

You may already be just as powerful as Linux now.

Now this just disables the antivirus executable, not the entire folder (the firewall can be controlled from the GUI, but it's not the processor-hog the antivirus is). This is not for PC's in contact with the internet ! :

Rename "c:\program files\windows defender\msmpeng.exe" "c:\program files\windows defender\msmpeng.OFF"

Rename "c:\windows\winsxs\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22xxx.xxxx_none_xxxx....xx\msmpeng.exe" "c:\windows\winsxs\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22xxx.xxxx_none_xxxx....xx\msmpeng.OFF"

This second disablement can be the variable one, you need to look in the WinSxS folder in advance while Windows was still running in order to check the "x" values above for your particular build before you would know your particular exact complete WinSxS sub-foldernames. The publickeytoken of 31bf3856ad364e35 may also be subject to change in the future.

Or you can even browse for the target folder in Notepad and rename the file right there using notepad without even typing any commands into the CLI. Even though it would do no good to "open" the executable in notepad, start going through the motions as if you were going to open the EXE file, and you can at least change the name through notepad's limited open/save GUI interface.

If using the correct foldernames, type or paste those two commands into the terminal (one at a time, this is not powershell) and the target executables will be instantly renamed.

When you reboot to your regular Windows, it will not be able to find the msmpeng.exe file when it wants to run it after that. So no Windows antivirus running.

But it hasn't gone away, you can always rename it back to an EXE when you do need it later on.

Based on those two Rename commands you could also reverse the "manual" renaming procedure and effectively toggle the activity of msmpeng.exe, each time using two specific "lines of code" based on the above examples. I guess you could call them very simple scripts.

From what I understand gamers do things like this when PC's are not going on the internet.

Windows idiotic file permissions are almost impossible to manage, even if you know what you are doing

Seems like I used to be able to do stuff like this from a bash shell under cygwin, but I haven't really used Windows since the XP era.

Is there a convenient "awesome red team" list on GitHub somewhere that collects these one-off repos and stays updated if they're eventually mitigated?

I happened to stumble across a new repo demonstratng UAC bypass by sending keys to Task Manager as well as something for AMSI (Antimalware Scan Interface): https://github.com/cybersectroll

There's multiple. Here is one I maintain, though am very behind on it.

https://github.com/rmusser01/Infosec_Reference

Thank you for sharing.

Staying updated is almost a full-time job, I was hoping someone else was already sharing their efforts to do so.

If I'm understanding this then the WSC API calls are being used by the included Avast EXE and DLL (which, presumably, are Avast "IP" and protected by copyright).

Has anybody done reverse engineering work on the WSC API itself?

That was my first thought too. If I understood correctly, the developer claims that the API requires a signed binary in this issue: https://github.com/es3n1n/no-defender/issues/1

Hmm.. Is there something similar for just the firewall?

I am using simple wall, but with that Windows complains about a disabled firewall. Registering simple wall as a firewall with windows would be nice.

So, why doesn't all malware include this?

> the operating system does not have proper security measures in the first place

> everyone else laughs

Meanwhile:

    So let's install our shiny $UB3RK3WLAPP !

    # setenforce 0
    # curl http://ub3rk3wlapp.io/install | sudo bash

Notice the sudo and terminal. You must enter a password in a terminal. In windows you just click twice.

> In windows you just click twice.

Uh, oh, that means you're working on an admin account. If you are using a normal user account, you will be prompted to enter your admin credentials instead.

(You can also force this behaviour on administrator accounts. Search for the registry setting "ConsentPromptBehaviorAdmin")

On Windows installs the default user created in a home/pro install is an admin and it never prompts the user to go create a non-admin account for daily use. This actually makes perfect sense in itself (beyond the behavior defaults you mention being backwards).

Notice you ignored setenforce and what it's already a root session.

how is that any different? you're still allowing arbitrary code to run.

Unless you are saying that those who type into the terminal will first |echo the script into a file, verify it, then run?

Not even close to "as active". Defender will scan everything, even windows own updates. It is the reason why Windows machines perform poorly and why battery life is a joke on that platform. It's intrusive and doesn't care much about resource use.

My Lenovo X13s lasts about 15 hours on a charge and performs very well.

Does it require elevated privilges?

Click saver: no vbscript implementation is presented.

brilliant, thanks for sharing. seems to work great. i mostly tolerate Windows Defender, but the lack of configurability is pretty maddening sometimes.