Disabling Windows Defender (and what MSFT does without your consent afterwards...)

Disabling Windows Defender (and what MSFT does without your consent afterwards...)

There are many articles out there on how to do this. Sadly, many are still incorrect and you may go crazy trying to figure out why you just can't seem to disable Windows Defender (now Microsoft Defender).

First I'll share very quickly how to triage this. If you just want the answer, jump to the bottom :)

When to do this?

This is good for doing testing or even more useful building lab environments where you can disable Defender. By disabling Defender, you can play with real malware, learn about threats, perform research, etc..

You don't need to do any of this if you are installing any AV or next-gen endpoint protection product, such as CrowdStrike--this will be done for you during the agent installation process.

Insert ProcMon

Instead of just giving you the answer, let's teach some basic ways to figure out how to traige this. Before, many sites, including MSFT, provide the regkey:

HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

This simply doesn't work. Go ahead and Bing/Google it now and you'll see all the resources pointing to this regkey. Perhaps this was right back in the day? Who knows.

But instead of trying to just climb on the backs of others, perhaps I could do an ounce of reserach on my own.

So by disabling real-time protection myself:

And when having ProcMon running (part of Sysinternals, something else you should auto-install in such environments with choco), you see this:

Note the detail shows us the handle to the regkey is "Read/Write".  We can see the fully path to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection

Note that there is no "policies" in the path!

Also note, we can see what value this should be, when disabled, captured in the above "Detail" column. By using the "jump to" feature, we can quickly pivot to the registry in regedit:

Insert hero: Ansible

So, what do we need to do in Ansible? Easy, thanks to win_regedit (make sure to use the community supported version, from ansible.windows!).

Of course, if we change this value we should reboot (at least for labs), so in ansible, if I modify this value I always have it do such:

If you get an error, you must revisit how to disable Tamper Protection--MSFT is starting to kill off Active Directory, pushing for Microsoft Endpoint Manager (MEM), and although they state you can use SCCM--almost giving you the feeling you can do w/o MEM--it's only useful when in "hybrid" mode, syncing with MEM. Depending on version of Windows, you may find a way to programmatically disable Tamper Protection without installing another AV/NGAV/EPP vendor. Your milage may vary.

A note on Microsoft's sketchiness

Weirdly, via this route, I can see MSFT automatically changing some of my SpynetReporting settings by modifying this. They must know something weird is going on when you disable this, so they appear to force you to share malware samples to them.

I'll let you explore more and research more about this--but let this be a good reminder on why doing your own research can be very rewarding, especially if its repeatable.

Stay vigilent.

Andrew