Can you DISABLE Windows Defender Antivirus?

For an influencer who teaches tech, you lack basic experience with the registry and other stuff. 🤦🏼
Make your videos better organised.

GeorgeValkov

I've got to say, Defender has definitely been way more secure than I even expected.
Even just trying to do labs as I work through my PEH course, I've run into a handful of times where I'm using something like Metasploit and have the shell broken when Defender catches the payload and isolates it, causing me to need to pull the Windows machine up to try and allow it all so I can keep learning.

aaronwhite

Awesome content. Love your way of teaching and it goes many many miles with the IT teams that want to learn and do!

HomesteadingBartramStyle

I'm also a subscriber to the channel this video is talking about, saw the video that inspired this video, and while i no longer use windows day to day, i was fairly confident that it would not work quite as easily as that video suggested, good to see i was right, and this video is yet another great example of why i subscribed to you, you do the technical stuff, but also show things from the perspective of an attacker or end user. As opposed to simply reading off some article somewhere.

Trmrz

What do you think? Am I totally wrong here? What do you think of Defender as an antivirus? Do you use Defender, or something else?

_JohnHammond

Chris Titus Tech made this article, because windows defender is not that easy to disable, even as an administrator. Just disabling real time protection isn't enough, as after a reboot it comes back up. That is why the article was made, to show people all the different ways to fully disable defender and (or) even uninstall it.

linasalexx

I think what's important here, is that if the victim was just an average Windows user, then he's most likely using his main account on his windows machine, which will have admin privileges. So if the payload were to execute, it could have something as UAC bypass implemented, so it would run with admin privs without ever asking the user to grant those permissions and do everything in the background.

The Set-MpPreference long command that you executed doesn't actually do anything as long as Tamper protection is enabled. Neither does the .reg file. It will show up as successful without throwing any error if you run it as Admin, but if you actually verify the Protection status, you will see everything is still enabled (Tamper protection reverts it).

You didn't wanna mock the author of the article, but I will do it for you. What he showcased is literally useless. Mainly because the tools he was referring to are all signatured by defender (as you showed us) and the reg tricks and powershell commands simply don't work because of Tamper protection.

However, what tamper protection doesn't catch, are the Exclusions for some reason. So ideally you would do: Add-MpPreference -ExclusionPath C:\ and Add-MpPreference -ExclusionProcess C:\*

this will literally exclude everything and even though protection is enabled, it's not scanning anything.

Yes, you do need admin privs to execute those commands, however like I mentioned before, the payload can utilize UAC Bypass where it won't alert the user to grant the process Admin privs. (the user still needs to be in Administrators group in order for it to work)

While this is bad, you could literally still do the same thing with other AV Solutions, not just defender. Of course, those exclusion commands wouldn't work, but once you elevate yourself to admin, you can actually elevate yourself to TrustedInstaller if you know how to, and for example change the binpath of the AV service so it can't execute. This is just one of many other possibilities of what you can do.

You can still prevent all of this from happening if you use your computer as a low privileged user and you have a backup admin account, with password set (which you don't log into). So everytime you want to install something, it will ask you for that Admin user password, instead of just choosing between "Yes" or "No" in the UAC prompt, which can very easily be bypassed.

So to summarize, the windows defender is not worse by any means than other AV solutions. I use it myself personally. But if the attacker knows, what to look for then he can disable them, as long as he can escalate privileges.

nyshone

currently setting up a new AD and GPO's and this was an interesting watch. Thank you for the great content!

Foiliagegaming

I was amazed to see that windows defender actually works because I've been sceptical of pretty much all antivirus software. This is awesome

JCake

If whatever is "targeting you" can pass through windows defender, any other antivirus-for-everdayUser would be the same. Most of this bashing against windows defender is from the old antitrust sentiment for windows. "Im a cool kid, i know better than the engineers at windows"

nutme

Loved the video, I need to learn more about how AV / EDR is defeated in general

augustvansickle

10:22
i laughed so hard here what a great day :D
Honestly i am learning alot from you these days, dunno how i discovered your channel but i am really glad that i found it somehow .
i will keep following you to learn more how to protect myself . thank you for all your work.

ALDMI

It is fairly easy to bypass UAC undetected with some methods, after that defender can be disabled or a exclusion can be added and the malicious downloader can download its payload and execute it. It is a method many attackers use these days and it is discussed a lot on hacking forums.

robise.

Thanks John. I haven't used Windows for a while, but it was a great video.

guilherme

Hello John, I use Windows Defender since the beginning. I find the integrated antivirus good enough for my usage.
We are developing industrial application in my company, and as part of distributed application (in local network), we have 'manager' apps that stop and start processes on clusters (with user privilege always).
As far as I know, we never had any problem with Windows Defender, it does the job without being too intrusive and denying any of our framework actions.
We cannot say the same for other Antivirus we tested, more intrusive, and putting our apps to quarantine all the time because it contains start and stop process (at user level privilege !!) and that breaks our entire system.
Therefore we stick to it, and I also stick to it on my daily dev laptop. If you add common sense to that (listening to the warnings), you should be safe (it's been the case for the past 12 years).
Christophe.

christophekumsta

Really useful and informative. Thanks so much for sharing.

gsm

Great content and showing that we need to test the accuracy of the various write-ups that we see. Many times I ha e seen write-ups in this industry that only work with privileged access and not as a standard user. As you mentioned, if you are an admin you can already change anything so those write-ups are moot. The real concerns are when changes can be made or an exploitation as a regular user.

Again, thank you for this content and making that statement without actually saying it. This industry needs to learn to test and not just take the write-up as 100%. There is too much of that which is just misinformation.

TellNoL

at 06:06 - I think it was missing the "Windows Registry Editor Version 5.00" header so it threw that error. If you export a .reg key you'll see that it always starts with "Windows Registry Editor Version 5.00", followed by a blank line, and then the exported keys and key value pairs.
Personally, I don't use an antivirus because I know what I'm doing and I don't usually browse through shady stuff. If I'm forced to browse through shady stuff I usually do it through a VM or with the help of something like sandboxie.

TurntableTV

Totally agree! There isn't one size fits all solution for how many layers of security needed, but I'm pretty sure that any form of anti-virus software is required almost all the time.
If his argument was "Windows Defender Bad for Performance, here is lightweight anti-virus software you can use today", then I would have understood the suggestion.

applePrincess

Thumbnail was great
my face does that too sometimes
when dealing with Defender

daredevil_orchid