Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]: Disable Windows Defender does not work #170

Open
Fuewburvpoa opened this issue Sep 28, 2022 · 4 comments
Open

[BUG]: Disable Windows Defender does not work #170

Fuewburvpoa opened this issue Sep 28, 2022 · 4 comments
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@Fuewburvpoa
Copy link

Description

Today i've noticed that windows defender services are running.
I've installed windows in February 2022, and one of the first things i did was "Privacy over security > Disable windows defender" script.
I would leave windows security & patch updates and looks like after August monthly update, windows defender is working again, but this script does not work anymore to disable defender.
Policy to disable defender is ignored.

OS

Edition: Windows 10 Enterprise LTSC
Version: 21H2
OS Build: 19044.2006

Scripts

DisableDefender.txt

Screenshots

image

Additional information

I guess time to disable "security" updates forever.
My hatred of MS is on its all time high.

@Fuewburvpoa Fuewburvpoa added the bug Something isn't working label Sep 28, 2022
@undergroundwires undergroundwires added the help wanted Extra attention is needed label Sep 28, 2022
@undergroundwires
Copy link
Owner

Thank you for very nice bug report with all necessary information.

I tested this and can reproduce it. Defender is still crippled heavily but not gotten rid of completely as before.

privacy.sexy has been the only open-source tool that could successfully stop Defender service according to my intensive research when I wrote the code, this was thanks to the community that showed the way and a PoC in #74, but Microsoft seems to have patched it in 21H2 for Windows 10 and 22H2 for Windows 11.

This has become cat and mouse game with Microsoft. I am unsure if I would prioritize this anytime soon over building new features, and improving other aspects of the project that the people have been asking for years now. Let's tag this issue and keep it open for other contributions. For the researches that wants to debug this, it has started with #74 and the idea was to disable these services as TrustedInstaller, you can see the privilege escalation here and search for RunInlineCodeAsTrustedInstaller in the same file to see how we disabled these services.

Some of scripts that utilize this method that worked fine before but started failing in new Windows versions:

Windows 10 21H2:

  • Turn off tamper protection
  • Disable Windows Defender Antivirus service
  • Disable Microsoft Defender Antivirus Mini-Filter Driver service

Windows 11 22H2:

  • Turn off tamper protection (this did not work before too)
  • Disable Windows Defender Antivirus service
  • Disable Microsoft Defender Antivirus Network Inspection service
  • Disable Microsoft Defender Antivirus Network Inspection System Driver service
  • Disable Microsoft Defender Antivirus Mini-Filter Driver service
  • Disable Microsoft Defender Antivirus Boot Driver service

@Fuewburvpoa
Copy link
Author

Just a little update on how i solved this issue for now.

  • download a tool called NSudo that allows you to run programs as TrustedInstaller
  • launch registry editor with this tool nsudo -U:T -P:E regedit
  • navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
  • change value of "Start" key to 4
  • reboot

@ayoubfaouzi
Copy link

ayoubfaouzi commented May 31, 2023

@Fuewburvpoa it won't work on Win 10 22H2. As @undergroundwires pointed out.

You need to boot in SafeMode ...

@undergroundwires
Copy link
Owner

Most scripts started working with new versions. However, in Windows 11, tamper protection needs to be manually disabled before running disable defender script from privacy.sexy for effective disabling. I could not find any way to programmatically fix this yet, nor found any other project that successfully does this. One way would be actually mimicking user input to set this on settings but it feels so hacky.

Manually disable tamper protection:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

3 participants