From 7a7c9c87be60139b8afc351d86ee880b626cd94b Mon Sep 17 00:00:00 2001 From: Michael Campagnaro Date: Wed, 26 Oct 2022 15:26:55 -0400 Subject: [PATCH] Add scripts for disabling and enabling Windows Defender malware service --- aliases | 3 - bin/antimalware-service-disable.bat | 106 +++++++++++++++++++++++++++ bin/antimalware-service-enable.bat | 107 ++++++++++++++++++++++++++++ windows/readme.md | 3 + 4 files changed, 216 insertions(+), 3 deletions(-) create mode 100644 bin/antimalware-service-disable.bat create mode 100644 bin/antimalware-service-enable.bat diff --git a/aliases b/aliases index e630eff..2a0306b 100644 --- a/aliases +++ b/aliases @@ -235,10 +235,8 @@ alias clipboard='xclip -selection c' # Cloc alias may be overridden by a private alias alias cloc='cloc --no3 --by-file-by-lang --skip-win-hidden' alias cls=clear -alias code='cd ~/code' alias cpr='cp -r' alias dc='gdc' -alias dot='cd ~/.dotfiles' alias duh='du -csh' alias e='open_explorer_here "$PWD"' alias exp='echo "Use e instead."' @@ -268,7 +266,6 @@ alias shutdown='sudo shutdown now' alias stk='rlwrap stk-simply' alias t='tree' alias tag='ctags -R .' -alias tmp='cd ~/tmp' alias v='vim' alias vi='vim' alias vh='vagrant halt' diff --git a/bin/antimalware-service-disable.bat b/bin/antimalware-service-disable.bat new file mode 100644 index 0000000..6d872c6 --- /dev/null +++ b/bin/antimalware-service-disable.bat @@ -0,0 +1,106 @@ +@setlocal enableextensions enabledelayedexpansion +@echo off + +rem Make sure we're running as admin. Got this garbage from https://stackoverflow.com/a/40388766 +if not "%1"=="am_admin" ( + powershell -Command "Start-Process -Verb RunAs -FilePath '%0' -ArgumentList 'am_admin'" + exit /b +) + +rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! +rem NOTE: Defender may see this file as malware, so you will likely need to exclude this before things can be disabled. +rem +rem Modified version of +rem https://raw.githubusercontent.com/mattreecebentley/win10_disable_defender/main/win10_enable_defender.bat +rem https://gist.github.com/xezrunner/a7a42dbc1096a40b0c78f09488fe5a2b + +reg query HKLM\SYSTEM\Setup /v DisabledDefenderServices | find "0x1" +if %errorlevel% == 0 goto already_patched + +echo Please note that Defender can only be disabled in Win10 v2004 and upwards if Tamper Protection is disabled. +echo This setting can be found in Window settings (hint: search for 'tamper'). Please do this now and then, +pause + +echo. +echo Disabling Windows Defender +rem from: https://pastebin.com/kYCVzZPz +rem Disable Tamper Protection First - on WIn10 vers which allow for this (not from 2004 onwards) +reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f + +rem To disable System Guard Runtime Monitor Broker +rem reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f + +rem To disable Windows Defender Security Center include this +rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f + +echo. +echo Disable Real-time protection +reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f + +echo. +echo Disable Logging +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f + +echo. +echo Disable WD Tasks +schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable + +echo. +echo Disable WD systray icon +reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f +reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f + +echo. +echo Remove WD context menu +reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f +reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f +reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f + +echo. +echo Disable WD services +reg add HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\wdFilter" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f +reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f + +echo. +echo Disable Security system tray icon +reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f + +echo. +echo Finishing up... +reg add HKLM\SYSTEM\Setup /v DisabledDefenderServices /t REG_DWORD /d 1 /f + +echo. +echo Windows Defender has (hopefully) been disabled. +echo You should still be able to scan files going forward. Also, the Antimalware Service Executable should immediately stop using CPU cycles. +echo Please restart your computer to see all changes. + +goto eof + +:already_patched +echo Defender has already been disabled by this script. +echo. + +:eof +pause diff --git a/bin/antimalware-service-enable.bat b/bin/antimalware-service-enable.bat new file mode 100644 index 0000000..ff3a5e2 --- /dev/null +++ b/bin/antimalware-service-enable.bat @@ -0,0 +1,107 @@ +@setlocal enableextensions enabledelayedexpansion +@echo off + +rem Make sure we're running as admin. Got this garbage from https://stackoverflow.com/a/40388766 +if not "%1"=="am_admin" ( + powershell -Command "Start-Process -Verb RunAs -FilePath '%0' -ArgumentList 'am_admin'" + exit /b +) + +rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!! +rem +rem Modified version of +rem https://raw.githubusercontent.com/mattreecebentley/win10_disable_defender/main/win10_enable_defender.bat +rem https://gist.github.com/xezrunner/a7a42dbc1096a40b0c78f09488fe5a2b +rem +rem Resources: +rem https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=win10-ps +rem https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection +rem https://github.com/AndyFul/ConfigureDefender +rem https://github.com/AndyFul/Hard_Configurator + +echo Enabling Windows Defender +reg query HKLM\SYSTEM\Setup /v DisabledDefenderServices | find "0x0" +if %errorlevel% == 0 goto already_patched + +reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f +reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "\"%windir%\system32\SecurityHealthSystray.exe\"" /f + +echo. +echo Restore WD shell +reg add "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f +reg add "HKLM\Software\Classes\Drive\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f +reg add "HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f + +echo. +echo Enable WD services +reg add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "2" /f + +reg add "HKLM\System\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\wdFilter" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f +reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f + +echo. +echo 1 - Enable Logging +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f + +echo. +echo Enable WD Tasks +schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable +schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable + +echo. +echo Setting various preferences +rem CloudExtendedTimeout / 1 - 50 / block a suspicious file for up to 60 seconds (Default is 10) +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d "0" /f + +rem CloudBlockLevel / 0 - Default / 2 - High / 4 - High+ / 6 - Zero tolerance (block all unknown executables) +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f + +rem 1 - Potentially Unwanted Application protection (PUP) is enabled, the applications with unwanted behavior will be blocked at download and install-time +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "1" /f + +rem Block at First Sight / 0 - Enable / 1 - Disable +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f + +rem Cloud-based Protection / 0 - Disable / 1 - Basic / 2 - Advanced +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "1" /f + +rem Send file samples when further analysis is required / 0 - Always prompt / 1 - Send safe samples automatically / 2 - Never send / 3 - Send all samples automatically +reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f + +echo. +echo Attempting to enable Tamper Protection. If this fails then you need to do it manually. +reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f + +rem To prevent WD using too much CPU, add this file to the exclusion list: +rem C:\Program Files\Windows Defender\MsMpEng.exe +echo. +echo Attempting to exclude MsMpEng.exe to reduce CPU usage +reg add "HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files\Windows Defender\MsMpEng.exe" /t REG_DWORD /d "0" /f + +echo. +echo Finishing up... +reg add HKLM\SYSTEM\Setup /v DisabledDefenderServices /t REG_DWORD /d 0 /f + +echo Windows Defender has (hopefully) been enabled. +echo The Antimalware Service Executable should be active again. +echo Restart your computer to see all changes. + +goto eof + +:already_patched +echo Defender has already been enabled by this script. +echo. + +:eof +pause diff --git a/windows/readme.md b/windows/readme.md index 311af97..1bcb043 100644 --- a/windows/readme.md +++ b/windows/readme.md @@ -93,10 +93,13 @@ processor time and is generally useless. some testing and didn't see any speedup when excluding a project folder. * Go into the Windows security settings and disable `Tamper Protection`. * winkey+r -> `gpedit.msc`. + * Can now disable either with a policy or some custom batch files. + * Policy: * Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus -> Real-time Protection * Double-click the `Turn off real-time protection` policy. * Select Enabled (you may have to restart PC). * If you want to re-enable then change the policy to `Not configured` and re-enable tamper protection. + * Batch files: in `dotfiles/bin` run `antimalware-service-disable.bat` then restart. Reenable it with `antimalware-service-enable.bat` * Enable/disable various Window features: * Go to Add/Remove Programs -> Turn Windows features on or off