3 years latter, it finally happened! Tamper protection is now more than just a buzz word - it actually works, Defender gained resilience that all other AVs have been featuring for years, if not decades! Praise the Lord of Incompetent Developers! We had to wait for so long until a f**ktard at microsoft hq got ransomware'd via a silly script to notice the elephant-sized holes in their "security" offering.
Finally, they woke up! Just tested, it also now shows an extra UAC popup of the defender while adding exclusions through the command line, though it's not appearing every time, need to check the pattern.
One more service is added to wd like mssecflt is added since 19041 is published. added service is locking your temper protection via a protected database the same way we do trick on inbox apps srdrepository databse. i wont reveal that secret i know to disable temper prot on online current installed os in any way in this worst online world where everbody is racing to defeat there own well wishers. bloody bull s**t. the best way is to disable temper prot from offline image then tweak WD in any way you people want . Thanks & Regards. COIN INDIA
So i would not be able to do this from setup specialize phase anymore? Spoiler Code: net stop WinDefend /y || sc stop WinDefend reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -DisableService i guess i will need to create install.wim with February LCU + Defender latest platform to confirm
You can do whatever you want offline. Spoiler: You can still uninstall it at the next reboot. Code: @(echo off% <#%) &color 07 &title UNINSTALL DEFENDER set "0=%~f0" &set "1=%~f1"&set "2=%~2"& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1] $_Paste_in_Powershell = { $uninstall = 'Windows-Defender-Client-Package' $packages = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages' $found = split-path -leaf (reg query $packages.replace(':','') /f $uninstall | findstr HKEY) function reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list ) $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ember"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))} $reg=$key-split':?\\',2; $key=$reg-join'\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit'] $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)} $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) { $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)} $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2) $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0]) $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own "$k\$i" $false}} if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list } # lean & mean snippet by AveYo foreach ($item in $found) { reg_own "$packages\$item" -recurse Replace -user 'S-1-1-0' set-itemproperty -Path "$packages\$item" -Name "Visibility" -Value 1 remove-item -Path "$packages\$item\Owners" remove-windowspackage -Online -PackageName "$item" -NoRestart } } ; start -verb runas powershell -args "-nop -c & {`n`n$($_Paste_in_Powershell-replace'"','\"')}" $_Press_Enter What you can no longer do is turn it off and disable it programmatically without a restart when Tamper Protection is on. That's what Tamper Protection was supposed to be since May 2019. But it was not, a script like ToggleDefender has been disabling Defender regardless of Tamper Protection all this time (while other crap binaries did fail many times, so Microsoft did adjustments but inexplicably did not address the elephant flaw). It has been 3 f**kin years. Whenever I saw people praise Defender on reddit or post s**tty everybody-gets-a-medal shill-av-comparatives my blood was boiling - any malware worth 2cents exploited zero-days to elevate privilege from non-admin to system, or easy bypass UAC just changing stuff around in decade old PoC, then disabled Defender with the stupid backdoor that has been DisableAntiSpyware.
Defender packages are, in general, not dangerous to remove even in recent builds (i think) because that's something you can do by design on Servers. Then, as always, the whole matter is a continuously moving target, something that is true today, can be false tomorrow
Windows defender isnt that bad. in my opinion the best antivirus is common sense. It will protect you more than most anitviruses and considering antiviruses like malwareantibytes warning me to update every single day. Im kinda happy with windows defender
All evidence to the contrary for the last couple years. Defender did not stop anything major - maybe the lowest variety of script kiddies reusing stuff that was already hashed. Whenever a malware group has set it's eyes on a company or individual, it has succeeded bringing it down. Even big ones have fallen pray. The common denominator being.. Defender. And lackluster IT departments. A stolen certificate, a zero-day EoP, an UAC bypass for the majority of people using admin accounts as a daily driver, then just turn Defender off with a mere registry change. You never even knew you're hit just by checking Defender status.. Let's hope Microsoft don't get tired mid-way on improving Defender's reliability. More work is needed. And please don't overestimate your common sense - it does not have much value in this day and age, when computing power and the knowledge to automate malware-on-the-fly has expanded so much. Do tell me more how your common sense is able to spot under millisecond process hackery, race conditions or freaking rowhammer attacks flipping bits in RAM!! It does not have to be a classic exe or macro or pdf exploit. It could be a valid chrome addon getting taken over, often sold, then making a mockery of google's sandbox and their s**tty automatic store review and wrecking havoc for weeks until somebody spots it. I will say it many times until people beating the common sense drum get it: without computer assistance, you're naked and afraid. Afraid, because only people scared of the truth chose to live in a fantasy where they don't have to worry. The only saving grace is that there are hundreds of millions of targets more yummier than you. Until an automatic scan spots your butt-cheeks..
Defender main concern are KMS emulators, Keygens, scripts to decrap the OS and so on... Virus/Malware? I have yet to see personally a single one catched by this thing.
Windows Defender is very good..only if your pc is always online / have a internet connection. Defender uses online connection to protect your pc. So Defender with online internet connection is almost 100% effective, but 60% effective with offline net connection! But Defender is really slowing down pc, and i mean really.. Use COMODO Internet Security has sandbox effective against 0-day malware !
edbe said: ↑ Windows Defender is very good..only if your pc is always offline You are absolutely correct . i totaly agree with you.
Just copy paste in a normal powershell would do, as the code auto-elevates. Or copy-paste in a .ps1 and run. Or copy-paste in a .bat and run. Or copy-paste in a .cmd and run. Hybrid script ftw! But why would you do that, now that Defender is getting better?