diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index a96aa9358..48e5f0457 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -14963,20 +14963,43 @@ actions: # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. children: - - name: Disable "Microsoft Defender Antivirus Service" - # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` + name: Disable "Microsoft Defender Antivirus Service" (breaks `Set-MpPreference` cmdlet) docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + This script disables the "Microsoft Defender Antivirus Service" and its associated process (`MsMpEng.exe`). - ### Overview of default service statuses + This service is known both as "Microsoft Defender Antivirus Service" [1] [2] and "Windows Defender Service" [2]. + It is the primary component of Microsoft Defender Antivirus [2], essential for its functionality [1] [3]. + It runs the `MsMpEng.exe` executable [4] [5]. + This executable is also known as "Microsoft Defender Antivirus service executable" [6] or "Antimalware Service Executable" [1]. + The executable is located at `%PROGRAMFILES%\Windows Defender` [4] [5] [6] on modern Windows versions + and at `%PROGRAMFILES%\Microsoft Security Client` on older versions [6]. + It is crucial for the functionality of Microsoft Defender for Endpoint [6]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + Disabling this service interrupts the `Set-MpPreference` PowerShell cmdlet. + This cmdlet configures preferences for Windows Defender scans and updates [7]. + Attempting to use this cmdlet after disabling the service results in an error. + Here is an example: + + ``` + $ Set-MpPreference -Force -MAPSReporting 0 + + Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. + Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference. + ``` + + Disabling this service may optimize system performance by reducing resource usage. + + > **Caution:** Disabling this service: + > - May impair your ability to configure Defender scans and updates using PowerShell. + > - Decreases your security by affecting real-time malware protection. + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ "Microsoft Defender Antivirus Service - Windows 10 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240609144111/https://batcmd.com/windows/11/services/windefend/ "Microsoft Defender Antivirus Service - Windows 11 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [7]: https://web.archive.org/web/20240609150331/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" call: - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` @@ -14985,11 +15008,17 @@ actions: parameters: serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # - + # # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsMpEng.exe - category: Disable Defender kernel-level drivers children: @@ -15075,6 +15104,88 @@ actions: parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable Microsoft Security Core Boot Driver # TODO: Not tested + docs: |- + https://batcmd.com/windows/11/services/msseccore/ # TODO: Add docs + call: + - + function: DisableService + parameters: + serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\msseccore.sys' # TODO: Does %SYSTEMROOT%\System32\drivers\wd\msseccore.sys exis+t? + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender System Guard # TODO: move outsid ethis category for better categorization? + docs: https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + children: + - + name: Disable "SgrmAgent" driver + docs: |- + https://github.com/WinDLLsExports/10_0_17763_1/blob/6151931b169f55ce8b8581c39bb508a661e4085b/C/Windows/System32/drivers/SgrmAgent.sys.strings#L468 + call: + - + function: DisableService + parameters: + # TODO: Cannot stop SgrmAgent service on compute + serviceName: SgrmAgent # (Get-Service -Name 'SgrmAgent').StartType + defaultStartupMode: Boot # Alowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\SgrmAgent.sys' # TODO: Does %SYSTEMROOT%\System32\drivers\wd\SgrmAgent.sys exis+t? + grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "SgrmBroker" service + call: + - + function: DisableService + parameters: + # TODO: Cannot stop SgrmBroker service on compute + serviceName: SgrmBroker # (Get-Service -Name 'SgrmBroker').StartType + defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + # TODO: Cannot stop SgrmBroker.exe. Run `kill` as trusted installer? + fileGlob: '%SYSTEMROOT%\System32\Sgrm\SgrmBroker.exe' # Seen on Windows 11 (since 22H2) but on Windows 10 (since 22H2) + # grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable Microsoft Security Events Component File System Filter Driver + docs: |- # TODO: Add docs + Microsoft Security Events Component Minifilter + https://batcmd.com/windows/10/services/mssecflt/ + call: # TODO: Not tested, blind coded + - + function: DisableService + parameters: + serviceName: mssecflt # Check: (Get-Service -Name 'mssecflt').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\mssecflt.sys' # TODO: Does %SYSTEMROOT%\System32\drivers\wd\mssecflt.sys exis+t? + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable Microsoft Security Events Component File System Filter Driver + docs: |- # TODO: Add docs + Microsoft Security Events Component Minifilter + https://batcmd.com/windows/10/services/mssecflt/ + call: # TODO: Not tested, blind coded + - + function: DisableService + parameters: + serviceName: MsSecWfp # Check: (Get-Service -Name 'MsSecWfp').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\mssecwfp.sys' # TODO: Does %SYSTEMROOT%\System32\drivers\wd\mssecwfp.sys exis+t? + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Network Inspection" service docs: |- @@ -15156,11 +15267,139 @@ actions: parameters: serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthService.exe - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + # TODO: Double check these docs, add in docs + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller # TODO: not tested + parameters: + serviceName: wscsvc # Check: (Get-Service -Name 'wscsvc').StartType + defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual + # TODO: Does wscsvc.exe exist? + - + name: Disable Microsoft Defender Core service # TODO: Move outside of "Services" for more feature-based categorization + docs: |- + This script disables Microsoft Defender Core service (`MDCoreSvc`). + + Microsoft Defender Core service to help with the stability and performance of Microsoft Defender Antivirus [1]. + Its process is known as "Antimalware Core Service" [1] [2] [3]. + Its executable is known as `MpDefenderCoreService.exe` [1] [2] [3]. + It's typically located at `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\\` folder [2]. + + It communicates With Microsoft servers for reporting data from you including telemetry [1]. + So disabling it helps to protect your privacy by preventing data collection. + + Disabling it impairs Microsoft Defender for Endpoint [1] [3]. + + This script takes following actions: + + - Disables `MDCoreSvc` service [1]. + - Disables `MpDefenderCoreService.exe` executable [1]. + - Sets following Defender flags `DisableCoreServiceECSIntegration` [1], `DisableCoreServiceTelemetry` [1] + - Configures following registry keys: + - `HKLM\Software\Policies\Microsoft\Windows Defender\Features!DisableCoreService1DSTelemetry` [1] + - `HKLM\Software\Policies\Microsoft\Windows Defender\Features!DisableCoreServiceECSIntegration` [1] + + > **Caution:** + > - Disabling it impairs Microsoft Defender for Endpoint [1]. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview + [2]: https://www.file.net/process/mpdefendercoreservice.exe.html + [3]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + children: + - + name: Disable MDCoreSvc + docs: |- + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟡 Missing | N/A | + call: + function: DisableService + parameters: + serviceName: MDCoreSvc # Check: (Get-Service -Name 'MDCoreSvc').StartType + defaultStartupMode: Automatic # Cannot find + # TODO: ignoreErrorIfMissing: true # Missing on W11 + - + name: Disable MpDefenderCoreService + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDefenderCoreService.exe + - + name: Disable Core Service ECS Integration + call: + - + function: SetMpPreference + parameters: + property: DisableCoreServiceECSIntegration # Status: Get-MpPreference | Select-Object -Property DisableCoreServiceECSIntegration + value: $True # Set: Set-MpPreference -Force -DisableCoreServiceECSIntegration $True + default: $False # Default: Not Configured (Enabled) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Features + valueName: DisableCoreServiceECSIntegration + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService + valueName: DisableCoreServiceECSIntegration # TODO: Undocumented I found my self + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Core Service 1DS telemetry + recommend: strict # Disables telemetry without disabling the feature + call: + - + function: SetMpPreference + parameters: + property: DisableCoreServiceECSIntegration # Status: Get-MpPreference | Select-Object -Property DisableCoreServiceECSIntegration + value: $True # Set: Set-MpPreference -Force -DisableCoreServiceECSIntegration $True + default: $False # Default: Not Configured (Enabled) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Features + valueName: DisableCoreService1DSTelemetry # TODO: move to disable telemetry? + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService + valueName: DisableCoreService1DSTelemetry # TODO: Undocumented I found my self + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender automatic service Launch + docs: |- + TODO: Missing + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: ServiceStartStates + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen docs: