Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New script]: New defender scripts. #402

Open
femdiya opened this issue Aug 2, 2024 · 6 comments
Open

[New script]: New defender scripts. #402

femdiya opened this issue Aug 2, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@femdiya
Copy link

femdiya commented Aug 2, 2024
edited
Loading

Operating system

Windows

Name of the script

  1. Disable SmartScreen in Microsoft Edge.
  2. Disable SmartScreen PUA protection in Microsoft Edge.
  3. Lower priority for antimalware service at startup.
  4. Prefer group policy over local settings.
  5. Disable monitoring of files and programs.
  6. Disable scanning of all downloaded files and attachments.
  7. Disable scanning archive files.
  8. Disable behavior monitoring.
  9. Disable cloud protection.
  10. Disable Email scanning.
  11. Disable scanning mapped network drives during full scan.
  12. Disable scanning removable drives.
  13. Disable real-time monitoring.
  14. Disable network file scanning.
  15. Disable script scanning.
  16. Disable Virus and threat protection section in Windows Security.
  17. Disable signature verification before scanning.
  18. Minimize cloud protection level.
  19. Disable catch-up full scans.
  20. Disable catch-up quick scans.
  21. Disable controlled folder access.
  22. Enable low-priority CPU for scheduled scans.
  23. Disable prevention of users and apps from accessing dangerous websites.
  24. Disable scheduled full-scans.
  25. Disable scheduled scans frequently.
  26. Disable sending file samples for further analysis.
  27. Disable network file scanning.
  28. Disable non-critical Defender notifications.
  29. Disable routine remediation.
  30. Disable Microsoft Defender Antivirus.
  31. Disable SpyNet.

Documentation/References

  1. This script disables SmartScreen in Microsoft Edge. More info: Winaero
  2. This script disables SmartScreen PUA protection in Microsoft Edge. More info: Group policy catalog Microsoft
  3. This script lowers the antimalware service startup priority from normal to low. More info: Group policy catalog1 Group policy catalog2 Microsoft
  4. This script prefers group policy over local settings. More info: 1 2 3 4 5 6 7 8 9
  5. This script disables files and programs monitoring. (Requires Tamper protection to be turned off). More info: Microsoft
  6. This script prevents files and attachments from being scanned. (Requires Tamper protection to be turned off). More info: Microsoft
  7. This script prevents archives from being scanned. (Requires Tamper protection to be turned off). More info: Microsoft
  8. This script prevents behavior monitoring, used in real time to monitor user activity and detect malwares. (Requires Tamper protection to be turned off). More info: Microsoft
  9. This script prevents data from being sent to Microsoft cloud protection. More info: Microsoft
  10. This script prevents emails (ex. Outlook emails) from being scanned. More info: Microsoft
  11. This script prevents mapped network drives from being scanned. More info: Microsoft
  12. This script prevents removable devices from being scanned. More info: Microsoft
  13. This script disables real-time monitoring. (Requires Tamper protection to be turned off). More info: Microsoft
  14. This script disables network file scanning. More info: Microsoft
  15. This script disables script scanning. (Requires Tamper protection to be turned off). More info: Microsoft
  16. This script disables access to Virus and threat protection in Windows Security. More info: Microsoft
  17. This script disables checking for signature update before every scan. More info: Microsoft
  18. This script minimizes the cloud protection level. More info: Microsoft
  19. This script disables catch up full scans after missed scheduled (full) scans. More info: Microsoft
  20. This script disables catch up quick scans after misses scheduled (quick) scans. More info: Microsoft
  21. This script disables controlled folder access. More info: Microsoft
  22. This script lowers the priority (CPU) for scheduled scans. More info: Group policy catalog Microsoft
  23. This script disables prevention of users and apps from accessing dangerous websites. More info: Microsoft
  24. This script disables scheduled scans being full and will make them quick instead. More info: Microsoft
  25. This script changes the scheduled scan day to "Never" which thus, disables scheduled scans completely (?). More info: Group policy catalog Microsoft
  26. This script prevents samples from being sent to Microsoft. More info: Microsoft
  27. This script prevent network file scanning.
  28. This script prevents enhanced notifications. More info: Group policy catalog
  29. This script disables routine remediation. More info: Group policy catalog
  30. This script disables Microsoft Defender Anti-Virus. More info: Group policy catalog 1 Group policy catalog 2
  31. This script disables/minimizes Microsoft SpyNet. More info: Group policy catalog

Code

  1. Disables SmartScreen in Microsoft Edge: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKCU\Software\Microsoft\Edge\SmartScreenEnabled' /v '(Default)' /t 'REG_DWORD' /d '0' /f"
  2. Disables SmartScreen PUA protection in Microsoft Edge: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled' /v '(Default)' /t 'REG_DWORD' /d '0' /f"
  3. Low priority for antimalware service:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'AllowFastServiceStartup' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'AllowFastServiceStartup' /t 'REG_DWORD' /d '0' /f"
  1. Prefer group policy over local settings:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideDisableOnAccessProtection' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideRealtimeScanDirection' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideDisableIOAVProtection' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideDisableBehaviorMonitoring' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideDisableIntrusionPreventionSystem' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideDisableRealtimeMonitoring' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'LocalSettingOverrideDisableScriptScanning' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' /v 'LocalSettingOverrideSpynetReporting' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet' /v 'LocalSettingOverrideSpyNetReporting' /t 'REG_DWORD' /d '0' /f"
  1. Disables files and programs monitoring:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t 'REG_DWORD' /d '1' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection' /v 'value' /t 'REG_DWORD' /d '0' /f"
  1. Disable scanning of all downloaded files and attachments: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection' /v 'value' /t 'REG_DWORD' /d '0' /f"
  2. Disable archive scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning' /v 'value' /t 'REG_DWORD' /d '0' /f"
  3. Disable behavior monitoring:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring' /v 'value' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "Set-MpPreference -DisableBehaviorMonitoring false"
  1. Disable cloud protection:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection' /v 'value' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
  1. Disable email scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning' /v 'value' /t 'REG_DWORD' /d '0' /f"
  2. Disable mapped drive scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives' /v 'value' /t 'REG_DWORD' /d '0' /f"
  3. Disable removable device scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning' /v 'value' /t 'REG_DWORD' /d '0' /f"
  4. Disable real-time monitoring: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring' /v 'value' /t 'REG_DWORD' /d '0' /f"
  5. Disable network file scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles' /v 'value' /t 'REG_DWORD' /d '0' /f"
  6. Disable script scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning' /v 'value' /t 'REG_DWORD' /d '0' /f"
  7. Disable Virus and threat protection section in Windows Security: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess' /v 'value' /t 'REG_DWORD' /d '0' /f"
  8. Disable signature update before scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan' /v 'value' /t 'REG_DWORD' /d '0' /f"
  9. Minimize cloud protection: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel' /v 'value' /t 'REG_DWORD' /d '0' /f"
  10. Disable catch-up full scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan' /v 'value' /t 'REG_DWORD' /d '1' /f"
  11. Disable catch-up quick scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan' /v 'value' /t 'REG_DWORD' /d '1' /f"
  12. Disable controlled folder access: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess' /v 'value' /t 'REG_DWORD' /d '0' /f"
  13. Low-priority CPU scheduled scans:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority' /v 'value' /t 'REG_DWORD' /d '1' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' /v 'LowCpuPriority' /t 'REG_DWORD' /d '1' /f"
  1. Disable prevention of users and apps from accessing dangerous websites: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection' /v 'value' /t 'REG_DWORD' /d '0' /f"
  2. Disable scheduled full-scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter' /v 'value' /t 'REG_DWORD' /d '1' /f"
  3. Disable scheduled scans:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay' /v 'value' /t 'REG_DWORD' /d '8' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' /v 'ScheduleDay' /t 'REG_DWORD' /d '1' /f"
  1. Disable sample submitting: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent' /v 'value' /t 'REG_DWORD' /d '2' /f"
  2. Disable network file scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager' /v 'DisableScanningNetworkFiles' /t 'REG_DWORD' /d '1' /f"
  3. Disable enhanced notifications: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' /v 'DisableEnhancedNotifications' /t 'REG_DWORD' /d '1' /f"
  4. Disable routine remediation: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'DisableRoutinelyTakingAction' /t 'REG_DWORD' /d '1' /f"
  5. Disable Microsoft Defender Anti-Virus:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'DisableAntiVirus' /t 'REG_DWORD' /d '1' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'DisableAntiSpyware' /t 'REG_DWORD' /d '1' /f"
  1. Disable SpyNet: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet' /v 'SpyNetReporting' /t 'REG_DWORD' /d '0' /f"

Revert code

  1. Enables SmartScreen in Microsoft Edge: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKCU\Software\Microsoft\Edge\SmartScreenEnabled' /v '(Default)' /t 'REG_DWORD' /d '1' /f"
  2. Enables SmartScreen PUA protection in Microsoft Edge: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled' /v '(Default)' /t 'REG_DWORD' /d '1' /f"
  3. Normal priority for antimalware service:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' /v 'AllowFastServiceStartup' /t 'REG_DWORD' /d '1' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'AllowFastServiceStartup' /t 'REG_DWORD' /d '1' /f"
  1. THIS SCRIPT DOESN'T NEED REVERTING, AS IT IS ALREADY USING DEFAULT AND RECOMMENDED SETTINGS. THE COMMANDS ARE ONLY REPEATED TO ENSURE THAT THE OTHER SCRIPTS WORK PROPERLY
  2. Enables files and programs monitoring:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' /v 'DisableOnAccessProtection' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection' /v 'value' /t 'REG_DWORD' /d '1' /f"
  1. Enable scanning of all downloaded files and attachments: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection' /v 'value' /t 'REG_DWORD' /d '1' /f"
  2. Enable archive scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning' /v 'value' /t 'REG_DWORD' /d '1' /f"
  3. Enable behavior monitoring:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring' /v 'value' /t 'REG_DWORD' /d '1' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "Set-MpPreference -DisableBehaviorMonitoring true"
  1. Enable cloud protection:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection' /v 'value' /t 'REG_DWORD' /d '1' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "Set-MpPreference -SubmitSamplesConsent SendSafeSamples"
  1. Enable email scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning' /v 'value' /t 'REG_DWORD' /d '1' /f"
  2. Enable mapped drive scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives' /v 'value' /t 'REG_DWORD' /d '1' /f"
  3. Enable removable device scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning' /v 'value' /t 'REG_DWORD' /d '1' /f"
  4. Enable real-time monitoring: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring' /v 'value' /t 'REG_DWORD' /d '1' /f"
  5. Enable network file scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles' /v 'value' /t 'REG_DWORD' /d '1' /f"
  6. Enable script scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning' /v 'value' /t 'REG_DWORD' /d '1' /f"
  7. Enable Virus and threat protection section in Windows Security: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess' /v 'value' /t 'REG_DWORD' /d '1' /f"
  8. Enable signature update before scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan' /v 'value' /t 'REG_DWORD' /d '1' /f"
  9. THIS IS DEFAULT SETTINGS, NOT RECOMMENDED TO CHANGE
  10. Enable catch-up full scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan' /v 'value' /t 'REG_DWORD' /d '0' /f"
  11. Enable catch-up quick scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan' /v 'value' /t 'REG_DWORD' /d '0' /f"
  12. Enable controlled folder access: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess' /v 'value' /t 'REG_DWORD' /d '1' /f"
  13. Normal-priority CPU scheduled scans:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority' /v 'value' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' /v 'LowCpuPriority' /t 'REG_DWORD' /d '0' /f"
  1. Enable prevention of users and apps from accessing dangerous websites: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection' /v 'value' /t 'REG_DWORD' /d '1' /f"
  2. Enable scheduled full-scan: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter' /v 'value' /t 'REG_DWORD' /d '2' /f"
  3. Enable scheduled scans:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay' /v 'value' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' /v 'ScheduleDay' /t 'REG_DWORD' /d '1' /f"
  1. Enable sample submitting: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent' /v 'value' /t 'REG_DWORD' /d '1' /f"
  2. Enable network file scanning: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager' /v 'DisableScanningNetworkFiles' /t 'REG_DWORD' /d '0' /f"
  3. Enable enhanced notifications: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' /v 'DisableEnhancedNotifications' /t 'REG_DWORD' /d '0' /f"
  4. Enable routine remediation: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'DisableRoutinelyTakingAction' /t 'REG_DWORD' /d '0' /f"
  5. Enable Microsoft Defender Anti-Virus:
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'DisableAntiVirus' /t 'REG_DWORD' /d '0' /f"
  • PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware' /v 'DisableAntiSpyware' /t 'REG_DWORD' /d '0' /f"
  1. Enable SpyNet: PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet' /v 'SpyNetReporting' /t 'REG_DWORD' /d '1' /f"

Suggested category

No response

Recommendation level

None

Additional information

Most of these scripts, need to have "Tamper protection" off, as documented in official Microsoft website. (It can be turned on later by user, personal choice.)
Note that this issue created, is an addition to the main project. Which means, no duplicate scripts compared to the main project.
This feature request is only created to add "missing" values to registry and helping the main project scripts, work better (as intended).
Again, all codes checked to prevent duplication in the main script. None of them are duplicate.
SIDE NOTE 1
According to this, most of Windows Defender files are located in "C:\Program Files\Windows Defender" so maybe develop a script to purge that location?
SIDE NOTE 2
I realized some services (!) are not disabled:
MDCoreSvc
WinDefend
wscsvc
SgrmAgent
SgrmBroker
Also they put some before/after pictures for their script:
Before After
The script: https://github.com/TairikuOokami/Windows/blob/main/Microsoft Defender Disable.bat
Like I found some scripts to remove the "Shell Association" of Windows Defender, which AFAIK, isn't implemented in this project.
@femdiya femdiya added the enhancement New feature or request label Aug 2, 2024
@femdiya
Copy link
Author

femdiya commented Aug 2, 2024

@undergroundwires
I need to shower.

This was referenced Aug 2, 2024
Open
Open
@undergroundwires
Copy link
Owner

A lot of userful stuff @femdiya.
Thank you for the research.
I will release 0.13.6 first then focus on Defender.

One question is PolicyManager keys: HKLM\SOFTWARE\Microsoft\PolicyManager..
These are Intune MDM policies and apply only to remote managed devices such as work and school computers.
If see the traditional policies for many of these take AllowRealtimeMonitoring for example.
You provided PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring' /v 'value' /t 'REG_DWORD' /d '0' /f". But we already set GPO using Software\Policies\Microsoft\Windows Defender\Real-Time Protection and DisableRealtimeMonitoring value, see docs:

image

So I'm not sure if they provide any benefits if the traditional GPOs already being set. Otherwise, I will add all others 👍❤️ Thanks for great contribution.

@femdiya
Copy link
Author

femdiya commented Aug 6, 2024

I see no problem adding them to the project.
And yes, I know that some of keys are provided, we set them earlier in a different path. However, as I mentioned, my contribution only persist on completing this project.
And there's no downside of using those codes, so why not?

@undergroundwires
Copy link
Owner

MDCoreSvc cannot be disabled anyway as a service due to permissions errors, alternative way is added see: #385 (comment), commit b40e46a.

@undergroundwires
Copy link
Owner

SgrmAgent and SgrmBroker belongs to System Guard. Should they really be disabled as part of Defender? Any justification?

https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows

@femdiya
Copy link
Author

femdiya commented Oct 10, 2024

Does disabling them brick the system or anything? Or any possible outcome?

undergroundwires added a commit that referenced this issue Oct 29, 2024
@undergroundwires
win: fix Defender service #128 #385 #393 #402 #426
0900492 
This commit adds disabling missing low-level Defender service/drivers,
improve disabling existing ones, and improve their documentation.

Key changes:

- Add disabling missing Defender services.
- Add disabling missing Defender processes.
- Add soft-deleting of missing service files
- Fix `ServiceKeepAlive` value #393, #426
- Add disabling system modification restrictions for persistent Disable
  service disabling.
- Recommend more Defender scripts on 'Strict' level

Other supporting changes:

- Add more documentation for related scripts.
- Move disabling `SecHealthUI` to disabling Windows Security.
- Fix `DisableService` attempting to disable the service even though its
  disabled.
- Add ability to disable service on revert in
  `DisableServiceInRegistry`.
- Improve categorization for simplicity, add new categories for new
  scripts.
- Add ability to run `DeleteRegistryValue` as `TrustedInstaller`.
- Rename some scripts/categories for simplicity and clarity.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@undergroundwires @femdiya