Neat way to disable Windows Defender...

Register a no-op AV product in the Windows Security Center (WSC). This action is protected by an NDA that AV vendors sign, and, well...

Anyway, yeah, admin users can do admin things. Don't forget that.

https://github.com/es3n1n/defendnot

@wdormann Can't you also disable Defender through Group Policy?

@jernej__s
Yes.

@wdormann So, somebody finally figured it out.

Why so complicated, though? C++, ugh. It's doable in a few lines of VBScript, using WMI.

It's very unlikely to work against other AV products. It's not an API for "disable the installed AV" - it's an API for "inform the Security Center that an AV is being installed". It then disables Defender (and re-enables it, if that AV in uninstalled; the AV doesn't have to do anything special to initiate that action).

@wdormann I assume this doesn’t work if Tamper Protection is enabled?

@deepthoughts10
No, Tamper Protection does nothing to stop this.

@wdormann ugh 😣

@wdormann Thanks you just gave me my next hunt idea

@GossiTheDog @deepthoughts10
TBH, I've never really fully grok'd what Tamper Protection actually does.

Here's a PoC of a bypass that I found a long time ago. 🤷‍♂️

@wdormann @GossiTheDog @deepthoughts10 Tamper Protection usually implements anti-debugging so you won't be able to attach a debugger even to the low-priv UI process of the AV. This is not normally a security boundary so there are of course bypasses, what you just showed basically goes back to having a UAC bypass + admin account.

@wdormann @GossiTheDog in that demo, it doesn’t look like you are using a managed system (GPO or Intune). I don’t believe admins can disable Tamper Protection like that on managed systems.

@deepthoughts10 @GossiTheDog
Maybe? It's just a Windows 11 system that normal humans might be using. 😂

@wdormann @GossiTheDog understood. I’m just trying to figure out the risk potential in my environment.

@deepthoughts10 @GossiTheDog
I'm happy to test what you consider a managed machine to do.
But you'd have to explain what a mere mortal home user such as myself would have to do to set up such a machine.

@wdormann @GossiTheDog There are several ways to manage a system and deploy these settings including Intune, Defender XDR Portal and Configuration Manager (aka SCCM). My understanding has always been that tamper protection prevents even users with local admin privileges from disabling or changing the settings of Defender AV. Microsoft's documentation on this is here:

https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

@wdormann @GossiTheDog I did see this caveat in that documentation which may be relevant here:

"...tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app."

@wdormann @GossiTheDog but to get back to how you could test this? I've not done this, but one way could be signing up for a one-month free trial of a M365 Business Premium which includes Intune and Defender for Endpoint. It does seem like a long way to go just to test this tool in this type of environment, but it's the only way I could think of.

https://learn.microsoft.com/en-us/microsoft-365/commerce/try-or-buy-microsoft-365?view=o365-worldwide