-
-
Save pe3zx/7c5e0080c3b0869ccba1f1dc2ea0c5e0 to your computer and use it in GitHub Desktop.
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! | |
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference | |
rem To also disable Windows Defender Security Center include this | |
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
rem 1 - Disable Real-time protection | |
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f | |
rem 0 - Disable Logging | |
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f | |
rem Disable WD Tasks | |
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable | |
rem Disable WD systray icon | |
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f | |
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f | |
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f | |
rem Remove WD context menu | |
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f | |
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f | |
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f | |
rem Disable WD services | |
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f | |
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f | |
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f | |
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f | |
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f | |
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f | |
rem Run "Disable WD.bat" again to disable WD services |
# From https://isc.sans.edu/diary/Bypassing+UAC+to+Install+a+Cryptominer/25644 | |
Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction Ignore; | |
Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore; | |
Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore; | |
Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore; | |
Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore; | |
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore; | |
Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore; | |
Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore; | |
Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore; | |
Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore; | |
Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore; | |
Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction Ignore; | |
Set-MpPreference -ModerateThreatDefaultAction 6 -ErrorAction Ignore; | |
Set-MpPreference -LowThreatDefaultAction 6 -ErrorAction Ignore; | |
Set-MpPreference -SevereThreatDefaultAction 6 -ErrorAction Ignore; |
(4-16-21)
This didn't work for me, running a Microsoft Edge ISO of Windows Build 1903 as a Virtualbox Windows VM test, I rebooted to the same enabled/running Win. Defender elements.
Everything else I could access, has been turned off in the settings, folders, & in the local GPO & registry, the latter two, of which I understand have now been depreciated for disabling. Services for the main Win Defender in "Services.msc" cannot be accessed (it is greyed out), & trying to change owner permissions in the ProgramData folder with Win Defender settings, the only folder I've yet to be able to access, also leads to the page greying out, though you can share the folder, which of course doesn't help. If there are registry entries for "Services" & the "ProgramData" folder I couldn't find myself, please let me know, & specify here.
I like strong security, but controlling one's own PC should be left at one's own discretion, Windows is now becoming more like Apple in making the choices for you, which I do NOT like.
(4-16-21)
This didn't work for me, running a Microsoft Edge ISO of Windows Build 1903 as a Virtualbox Windows VM test, I rebooted to the same enabled/running Win. Defender elements.Everything else I could access, has been turned off in the settings, folders, & in the local GPO & registry, the latter two, of which I understand have now been depreciated for disabling. Services for the main Win Defender in "Services.msc" cannot be accessed (it is greyed out), & trying to change owner permissions in the ProgramData folder with Win Defender settings, the only folder I've yet to be able to access, also leads to the page greying out, though you can share the folder, which of course doesn't help. If there are registry entries for "Services" & the "ProgramData" folder I couldn't find myself, please let me know, & specify here.
I like strong security, but controlling one's own PC should be left at one's own discretion, Windows is now becoming more like Apple in making the choices for you, which I do NOT like.
The Tamper Protection feature might be the culprit here. A lot of articles suggest disabling this feature first to make the config permanent. I would suggest giving it a try.
All legit, thanks! Added some of them to privacy.sexy