[HN Gopher] A slightly more fun way to disable Windows Defender ...
___________________________________________________________________
A slightly more fun way to disable Windows Defender (through the
WSC API)
Author : croes
Score : 54 points
Date : 2024-05-24 16:27 UTC (6 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| _xerces_ wrote:
| Defender is a real irritant when doing security research and is
| near impossible to turn off completely and permanently. Even
| using the Group Policy Editor or regedits is not reliable. If you
| do get it to stop, it will randomly reenable itself weeks later
| (perhaps some timer, perhaps due to some update if you forgot to
| turn those off).
|
| For the vast majority of people this is a good thing!
| vezycash wrote:
| Easiest way to disable defender was to install another anti
| virus. Did this change?
| malfist wrote:
| If they want to do research they probably prefer no AV. That
| said there are some no-op AV's that are specifically for
| tricking defender to shut off and not actually do anything
| GordonS wrote:
| I was just wondering if a no-op AV might work! But I
| thought perhaps not, as I thought Microsoft insisted on AVs
| running as PP/PPL (Protected Process / Protected Process
| Light), which isn't realistic for OSS.
|
| Are you able to point to one please? Would love to try it
| and see if it works!
| PKop wrote:
| Isn't this what this post is about?
| GordonS wrote:
| Ach, I think you're right, that looks to be what they're
| doing.
| jiggawatts wrote:
| Yes. Current versions of Defender won't disable scanning even
| if another anti virus is installed. At most, it will stop
| _reporting_ infections. The CPU overhead however cannot be
| avoided by normal means.
|
| Microsoft Dev Drive exists purely as a workaround to this
| self-imposed problem.
| gruez wrote:
| >it will randomly reenable itself weeks later (perhaps some
| timer, perhaps due to some update if you forgot to turn those
| off).
|
| Probably caused by feature updates. I have it disabled on LTSC
| and it hasn't reenabled itself in years.
| 0xDEADFED5 wrote:
| brilliant, thanks for sharing. seems to work great. i mostly
| tolerate Windows Defender, but the lack of configurability is
| pretty maddening sometimes.
| cedws wrote:
| Does it require elevated privilges?
| EvanAnderson wrote:
| If I'm understanding this then the WSC API calls are being used
| by the included Avast EXE and DLL (which, presumably, are Avast
| "IP" and protected by copyright).
|
| Has anybody done reverse engineering work on the WSC API itself?
| greeniskool wrote:
| That was my first thought too. If I understood correctly, the
| developer claims that the API requires a signed binary in this
| issue: https://github.com/es3n1n/no-defender/issues/1
| aeyes wrote:
| Apparently this could be reduced to a VBScript:
| https://infosec.exchange/@bontchev/112494759440985111
| fulafel wrote:
| Click saver: no vbscript implementation is presented.
| chme wrote:
| Hmm.. Is there something similar for just the firewall?
|
| I am using simple wall, but with that Windows complains about a
| disabled firewall. Registering simple wall as a firewall with
| windows would be nice.
| Wowfunhappy wrote:
| So, why doesn't all malware include this?
| devwastaken wrote:
| You dont need to, you can bypass it anyways through win32
| function call redirection and a dozen other methods.
|
| Antivirus's are trash, they are a mitigation that exists when
| the operating system does not have proper security measures in
| the first place. This is why Windows must ship with an AV, and
| everyone else laughs.
| justsomehnguy wrote:
| > the operating system does not have proper security measures
| in the first place
|
| > everyone else laughs
|
| Meanwhile: So let's install our shiny
| $UB3RK3WLAPP ! # setenforce 0 # curl
| http://ub3rk3wlapp.io/install | sudo bash
| terlisimo wrote:
| My preferred way of disabling Windows Defender is to boot Linux,
| mount windows partition and rename windows defender directories
| to *.disabled or whatever.
|
| Example (assuming it is mounted at /mnt/ntfs):
|
| mv "/mnt/ntfs/Program Files/Windows Defender" "/mnt/ntfs/Program
| Files/Windows Defender.disabled"
|
| mv "/mnt/ntfs/Program Files (x86)/Windows Defender"
| "/mnt/ntfs/Program Files (x86)/Windows Defender.disabled"
|
| mv "/mnt/ntfs/ProgramData/Microsoft/Windows Defender"
| "/mnt/ntfs/ProgramData/Microsoft/Windows Defender.disabled"
|
| Antivirus service fails to start and that's about it, no other
| side effects.
|
| To revert just rename back.
|
| I have dual boot set up, but I believe the Ubuntu USB install
| image supports NTFS.
| gruez wrote:
| Wouldn't windows' repair mechanism (dism/sfc) autofix this
| eventually?
| password4321 wrote:
| Is there a convenient "awesome red team" list on GitHub somewhere
| that collects these one-off repos and stays updated if they're
| eventually mitigated?
|
| I happened to stumble across a new repo demonstratng UAC bypass
| by sending keys to Task Manager as well as something for AMSI
| (Antimalware Scan Interface): https://github.com/cybersectroll
| oceansweep wrote:
| There's multiple. Here is one I maintain, though am very behind
| on it.
|
| https://github.com/rmusser01/Infosec_Reference
___________________________________________________________________
(page generated 2024-05-24 23:01 UTC)