Incapacitating Windows Defender

Dan Tentler aka @viss is definitely one of the people that i make sure i follow on Twitter because he is a fun guy and he knows his stuff.

Hak5 recently did a couple of episodes with @viss where he showed a couple of tricks. Nothing too major and nothing foolproof but they can still come in handy at certain environments.

The idea behind this approach is that if we have a defending team monitoring that Defender is running on all endpoints as expected, we can slip right through the crack by removing all the signatures that Defender relies upon for its detections. Further to that, if the defending team is not monitoring that all endpoints are updated this will not raise a flag as Defender will not be disabled.

Although what @viss does in the video is fairly obvious but i wanted to break down the commands rather than just copying and pasting.

The command that needs to be executed:

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

*Admin rights are required

-RemoveDefinitions As the name implies it will remove Windows Defender Definitions and engine files. The -All flag will remove all definitions whereas the -DynamicSignatures will remove all Dynamic Signatures.

-DisableIOAVProtection This flag tells Defender if it should scan all downloaded files and attachments. The default value is $False (do not disable) so here we set it to $True.

If everything goes well, Defender settings will look like this practically saying that Defender does not have any virus definitions:

Defender

Dan takes it a step further to make sure that even if Defender’s definitions are updated we will be able to continue our work by defining an exclusion path. What this means is that we can specify

Add-MpPreference -ExclusionPath "C:\"

Now if Defender comes back to life it will ignore C:\ although it’s signatures will be updated.