I have always used this code in my C# Program: Runspace runspace = RunspaceFactory.CreateRunspace(); runspace.Open(); Pipeline pipeline = runspace.CreatePipeline(); pipeline.Commands.AddScript("Set-MpPreference -DisableRealtimeMonitoring $true"); pipeline.Invoke(); runspace.Close(); and RegistryKey keyx = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender", true); { keyx.SetValue("DisableAntiSpyware", 1, RegistryValueKind.DWord); keyx.Flush(); keyx.Close(); } but now in 1903 with Tamper Protection nothin work, so i have see that tool sordum.org/9480/defender-control-v1-5/ have a workaround but is write in C++ i have tried to decompile with de4dot but nothing. The interessed key is: "reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f" Always return "Permission Denied" so i have tried with: SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\" -ot reg -actn setowner -ownr "n:administrator" SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\" -ot reg -actn ace -ace "n:administrator;p:full" with Success message, but nothing is changed, someone have any idea? I have contacted the author of tool without answer...
Just a foot note. It can be easily disabled on a clean installed 18362.30, but once the update is installed (.53 and above), it becomes really tamper protected.
I was at the Microsoft Office in Charlotte NC yesterday for a meeting and asked about this. they have made it almost impossible to remove defender due to Azure and their Autopilot program with Hardware OEMs. it is so OEMs can just ship devices to enterprises or SMBs and they can enter their Azure credentials which will AAD join the devices and push polices and software that is set up in the Azure portal and it relies on Defender and its services to function correctly. Also based on 3rd party testing why would people want to replace defender its been proven to one of the best AV and malware Programs out there since its backed relies on Microsoft Graph which the second an attack or previously unknown piece of malware is found they can blacklist it in the graph which then protects all windows users from it
YES, but I only need to disable it as the defender-control-v1-5 tool does, I would like my program to do it on 1903, but nobody knows how that program does, the author has a very vague response, I quote the his answer: "Hi Dirk In the 1903 version, a protection was added to prevent tampering with defender settings. To close the defender, you need to stop the defender service (WinDefend). This requires system + trustedinstaller authority ... Regards Sordum.org TEAM " I know if a simple program 800KB can run command with trustedinstaller And how to add to my program this "feature"?
This look like the method used by the Windows Update Blocker (wub) edited by Sordum. The authorization register subkey of the wuauserv key is modified in such a way that Windows can't change it and Windows update stands disabled.
I noticed, when i installed a sysprepped/captured 18362.86 without installing the defender platform update, tamper protection was disabled till the moment that the platform update got installed by WU.
Finaly i have a solution, github.com/lilkui/runasti run all command or program like TrustedInstaller =)
to me this makes your machine less secure and u dont want to do that when it comes to windows....but hey knock yourself out
Windows 10 is way more secure than any other Windows before. AV is not there to block malware, but to stop people from doing silly things, like opening infected links, attachments, exes, etc. It is anti-stupid software. Majority do not need AV, I bet most people have never seen a single alert from AV, meaning, you do not need it, but marketing has done its work: "You get infected within a minute, if you go on the internet without AV." There are some workarounds, like this one, tons of malware need scripts in one way or another. Ever heard the expression, malware downloaded and ran itself? Well it did not do it all by itself, scripts helped, a little. Code: reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\Software\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
How can it be disabled on .30 ? Only by turning it off in the Defender or is there more steps involved in that?
.bat Disabling services might break other windows features like smartscreen or system guard, but I do not use any of those, so I have no idea.
I don't need those pop-ups. Worked like charm, thank you. Anyway, the problem was because firstly I Enabled the policy 'Disable Windows Defender Anti-Virus', and after that I disabled Tamper Protection so I was unable to turn off defender until I did a reset on my Windows, not sure if bug or feature.
interesting it seams you only need to Code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f to disable the deffender using GPO, i wonder if MSFT will "fix" that one way or another