BleepingComputer: Malware can no longer disable MS Defender via the Registry

Topic

New Reply

Another excellent report from Lawrence Abrams: Microsoft has removed the ability to disable Microsoft Defender and third-party security software via t
[See the full post at: BleepingComputer: Malware can no longer disable MS Defender via the Registry]

Reply | Quote

Replies

If you want to check your version, which in buried deep!. Here’s how.

• PC Settings
• Update & Security
• Windows Security
• Virus & threat protection
• Click gear at lower left.
• About

HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

jburk07, BillBecker, woody

Reply | Quote

[Alex5723]

disable Microsoft Defender and third-party security software via the Registry

How an update to defender (which I don’t run) can protect third-party security software ?

My Defender version :

Antimalware Client Version: 4.18.1902.5
Engine Version: 0.0.0.0
Antivirus Version: 0.0.0.0
Antispyware Version: 0.0.0.0

I use Kaspersky Anti-Virus 2021

• This reply was modified 4 years, 9 months ago by Alex5723.

1 user thanked author for this post.

Fred

Reply | Quote

By ignoring that registry key.

But it’s only relevant on 1809 or older, due to default tamper protection in 1903 or newer.

Reply | Quote

Same situation but there were no changes.
Defender remains disabled.

My Defender version:

Antimalware client version: 4.18.2008.4
Engine version: 0.0.0.0
Antivirus version: 0.0.0.0
Antispyware version: 0.0.0.0

After the new version of the antimalware client:
4.18.2007.8

Kaspersky Internet Security 2020

Reply | Quote

Regardless the “updated” documentation, <DisableAntiSpyware> unattended setting is not working since the very first Windows 10 release (v1507)
the caution notice is correct ever since

Setting this value to true will not change Microsoft Defender Antivirus behavior on client devices (both managed and unmanaged). This setting only applies to Windows Server.

i can easily disable tamper protection and Defender in registry, via RunSynchronousCommand during Windows setup

1 user thanked author for this post.

Microfix

Reply | Quote

more info on the RunSynchronousCommand via MSFT runsynchronouscommand
interesting..

Windows - commercial by definition and now function...

Reply | Quote

There is another caution :

If a malware added the DisableAntiSpyware value to the Registry, and then rebooted the computer, on reboot Tamper Protection would remove the value.

Windows Security, though, would still be disabled for that session until the computer is rebooted again.

Reply | Quote

“Well done on all accounts”? Sigh. Not for me.

As someone on the original article asked “So, there is now no way whatsoever to run a system without Defender?”

I may be in an extreme minority. But I want to have a choice of “No Protection at all” if I run Windows 10. I wonder if this can still be done past this Defender update.

I only do test runs with Windows 10 1809 LTSC for the moment and this “feature” won’t affect me for a while. But I will want to investigate and it seems I will have to do some experiments myself (using virtual machines) once Windows 10 20H2 is officially released, to see whether Defender can still be disabled, as this feature update will most certainly include this “feature”.

If there is no way to do that I may have to do something like “install a 3rd party a/v and set it to allow everything and just notify, or something” as said by someone commenting on that article.

And guys, please do not try to convince me how such “Protection” in Windows 10 is necessary, whether by Defender or other 3rd party products. Thank you.

Hope for the best. Prepare for the worst.

Reply | Quote

I am on 20h2 and it can still be disabled via the registry. Of course you have to turn off tamper protection first but it still works to disable it. I’m on the newest version of Defender (July 2021). However you will find it re-enables shortly after a reboot. There is a way to prevent that though but its a bit complex.

Reply | Quote

I disable/enable (i.e. toggle) Defender in my Windows 10 VMs using Sordum.org‘s Defender Control:

Hope this helps…

Reply | Quote

Hey Y’all,

I tried my PowerShell method of disabling Defender and althought is runs w/o tripping the error catch no change is made to Defender’s status!

  Try{
       $SMPPArgs = @{DisableRealtimeMonitoring = $True
                     ErrorAction               = 'Stop'}
       Set-MpPreference @SMPPArgs
  }
  Catch {
   "Windows Defender isn't installed or attempt" +
   " to disable real time monitoring failed!" 
  }

HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote