There's no dilemma, because Krakatoa's simplistic script gets detected by Defender on both 11 and on 10 LTSC 2021 that I just installed on a real machine edit: Krakatoa's script in the post below no longer suffers the fake-positive fate as the #61 one So, freddie-o wtarkan DC BAU Krakatoa no external tools, can just copy-paste in powershell No No Yes No clear previous detection logs No No Yes No smartscreen Yes ? Yes No edge exe download warn off No No Yes No cloud protection high No No Yes No automatic sample submission off No No Yes No PUA protection on No No Yes No While useful to prevent yellow mark nagging if disabled, I might remove the last 3 pre-configurations and let users deal with it. I've not been recommending ToggleDefender vs other solution just to feed my ego. It's just that I have not skipped any steps in order to make to solution be future-proof. And so far it has been.
@BAU I wrote: "wsf vbscript in cmd" and "my recommendation now" Spoiler: disable_defender.cmd Code: <!-- : Begin batch script @echo off chcp 65001 >nul 2>&1 pushd "%~dp0" whoami /groups | findstr /c:"BUILTIN\Administrators" | findstr /c:" Enabled group" >nul 2>&1 && goto :isadmin echo Spusť skript jako admin pause exit :isadmin whoami /groups | findstr /c:"NT SERVICE\TrustedInstaller" | findstr /c:" Enabled group" >nul 2>&1 && goto :isti echo Spouštím skript jako TI, čekej... NSudoLC -U:T -P:E -Wait -ShowWindowMode:Hide "%~f0" echo Provedeno pause exit :isti reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /d 1 /t REG_DWORD /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f cscript //nologo "%~f0?.wsf" //job:sdstop sc config windefend start=demand reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f exit ----- Begin wsf script ---> <package> <job id="sdstop"> <script language="VBScript"> Set objWMIService = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * from Win32_Service Where Name='windefend'") For Each Service in objWMIService Service.StopService() Next </script> </job> </package> Spoiler: enable_defender.cmd Code: @echo off pushd "%~dp0" reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f NET start windefend pause Not detected by Defender. Tested on the current Defender. In the table, I only listed what kind of shutdown I use, I didn't even list the script to use. I can set up Defender, MRT, SmartScreen and SecurityHealth and etc: https://krakatoa.www3.cz/win10aio.php (But I haven't checked that in months) I started responding in this thread because Defender started to detect NET / SC in CMD, later Stop-Service (to use what is not detected if possible). And also because it is trivial to add permanent disabling using DisableAntiSpyware. I wrote this as advice for freddie-o. I didn't write it as script for everything
Well, I tested the #61 post of yours, and that gets detected. Make an effort and update your posts here at mdl, crystal balls are in a scarcity so people would not know about your external domain scripts. The other points in the comparative still stand, tho But also to bash a little on ToggleDefender with some stretch about first glance, as if anyone would find text less clear than an external binary, and english harder to comprehend than czech
Oops @Krakatoa just having fun man/girl Fwiw I tried your script for 1 month straight by leaving WD disabled. The darn thing never came back to life again. Good job.
#61 is not stop windefend "wsf vbscript in cmd" Why? #61 was help/info for freddie-o. I have help scripts on the web that I use. In the table, I only listed the method that I like the most. It was not necessary to state the code, I only stated it as info, and specifically because vbscript is not detected now (windefend service off) so if a programmer wants to use it, he can ( = the programmer will definitely know what it means: "stop windefend" "wsf vbscript in cmd"). I here or on the web do not want to have a script in the sense of use for users like you or freddie-o or wtarkan. my recommendation now detected by Defender No no external tools, can just copy-paste in powershell Not necessary clear previous detection logs Not necessary smartscreen Disable edge exe download warn off Not necessary cloud protection high Not necessary automatic sample submission off Not necessary PUA protection on Not necessary Notification Disable Anything else you want to know? Sometimes it is difficult to answer some questions (Mr.X) But what I wrote is true in my opinion. #61 is simple and you know what it does at first glance. It is not clear at first glance in your script how stopping and disabling Defender works. After executing # 61, just start the windefend service. You also have depend RpcSs-TOGGLE there... Take it only as an arguments for satisfying the question Mr.X I don't stain foreign scripts, I don't pick up my ego. I was just trying to help and answer questions. Please understand that :-( I'm not trying to fight over which script is better (your vs mine), I don't care, I just say what I use. I can't speak English, I can't explain it better in English. Note: 1) Why doesn't the elevation in your script look like take-own.psm1 (not TI, I just mean the system, just for example, and not mine)? https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/lib/take-own.psm1 Your code looks like obfuscated malware code .-) 2) I don't understand why net1 stop windefend is not detected in your code, when it is detected in cmd
1) That's not elevating anything, it just enables privileges for that process only, if it's already running as admin - if not, it does nothing. I will take my 2-line any time over that bloated microsoft-style crap that people lacking imagination have been copy-pasting for a long time - snippets are supposed to be compact, not be larger than the main script itself: $D1='[DllImport("ntdll")]public static extern IntPtr RtlAdjustPrivilege(int a,bool b,bool c,ref bool d);' $AP=Add-Type -Member $D1 -Name D1 -PassThru;$p=2;while($p-le36){$z=$AP::RtlAdjustPrivilege($p++,1,0,[ref]0)} What do these 2 lines do when run under powershell? Specifically Add-Type? trigger c# compiler to create a temporary exe file and then run it. I (and 3rd party AVs) do not like that behavior. On many companies csc.exe is specifically blocked. So instead I often use net reflection technique instead, that will create a module in-memory, or reuse existing net functions: $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))} More self-descriptive, and specifically targeting the needed privileges in the context of taking ownership. There are some ` in there. Why? Because powershell triggers a yellow mark log warning event for even the simplest things like [IntPtr] usage, and that pollutes the log making it harder to filter actual issues. So I put more effort into evading such log pollution. It's ultimately easier to understand 10-12 lines of code than something spanning multiple pages. All it takes it split it following the language syntax ; { } | and googling the terms / functions. But that's just for taking ownership of registry keys. Running external processes as TI without making Defender scream is not trivial at all - there's a reason why all other solutions have been precompiled binaries, while mine is the only plain-text script (hint: it's easier to achieve in c/c++) 2) Because order matters. I set the policies first, then I stop windefend. Tho it works fine even without it, since I call MpCmdRun -DisableService anyway
freddie-o just replied to the wrong thread Where is your sense of adventure? Copy-paste the Courier New lines into powershell (admin) and find out! whoami /all before, and after
I was on my way out the door and was rushing to post those errors. Probably had to do too with reading the code war that went on here when i logged into MDL.
I see that here is a "game" - "which tool will be able to disable the Defender without being detected"... So, I will add my tool to this "game". Heavy and slowly PowerShell is not needed. And my tool don't need to execute any external programs. Defender Switcher v1.0
Noooo man, you should've opened a new thread !!! Less confusing. You can still open it and delete the content of this post if yours.
Neah. You don't qualify. That's an anonymous opaque external binary exe, sooner or later is gonna get flagged as malicious. Literally no reason to use vs. Defender Control for example that at least is digitally signed (and still suffered so many issues with defender). Do not let arbitrary exe touch your very last line of cyber defense. Plain-text script > everything else. The "heavy and slowly powershell" reason is rofl - your system and your tweaking skills needs revisiting if powershell does not open close to instantly
I don't thing its a game, who make better script / program an example I made things for me only, sometimes I use other work, because its better way. just making a tool not make it best tool ever totally agree with BAU I will add that BAU Coding skill are better than most of us and you see the result in his scripts for example.
@zucrin, neah, you're too kind. some stuff might appear monstrous but it's just the result of focus and hard work - anyone can do much better if they put their mind on it we are all smart people and know when to reinvent the wheel and when not, and use our energy where needed the most or where we find it more fulfilling there are literally hundreds of more talented people on these boards alone, that just focus on different things (and probably thousands not utilizing their extraordinary potential) and it's not a drama. it's motivating. there's room for everybody to find their thing and contribute however they see fit - even as comic relief