Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later (perhaps some timer, perhaps due to some update if you forgot to turn those off).
For the vast majority of people this is a good thing!
I've never seen Defender re-enable itself, provided that tamper detection is turned off in addition to the other stuff (in group policy and whatnot). Have you made sure to do that? And are you on 10 or 11?
Weird. I wonder why I don't see this on my Windows 10 machine. It's possible I've done something else that prevents it from running that I'm now forgetting, I don't recall. But I do see that I have something like 6 group policy settings modified, it's not just one or two.
Have you tried disabling the service & driver (WinDefend)?
If they want to do research they probably prefer no AV. That said there are some no-op AV's that are specifically for tricking defender to shut off and not actually do anything
I was just wondering if a no-op AV might work! But I thought perhaps not, as I thought Microsoft insisted on AVs running as PP/PPL (Protected Process / Protected Process Light), which isn't realistic for OSS.
Are you able to point to one please? Would love to try it and see if it works!
Yes. Current versions of Defender won’t disable scanning even if another anti virus is installed. At most, it will stop reporting infections. The CPU overhead however cannot be avoided by normal means.
Microsoft Dev Drive exists purely as a workaround to this self-imposed problem.
For the vast majority of people this is a good thing!