VM-Packages icon indicating copy to clipboard operation
VM-Packages copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Disable Tamper Protection and Windows Defender

Open Ana06 opened this issue 1 year ago • 5 comments

Disable Tamper Protection and Windows Defender, preferably via Group Policy. Resources:

  • Disabling Tamper Protection
    • https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87
    • https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-windows-defender-antivirus.html
  • Disabling Windows Defender
    • https://stackoverflow.com/questions/62174426/how-to-permanently-disable-windows-defender-real-time-protection-with-gpo
    • https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10
    • https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1
    • https://lazyadmin.nl/win-11/turn-off-windows-defender-windows-11-permanently/

@mandiant/flare-vm commando-vm should we add this to the debloat package?

In flare-vm the focus is on Windows 10 and we would like to automate this step that are currently doing manually.

Ana06 avatar Oct 17 '23 07:10 Ana06

I didnt think it was possible to disable it with a script due to Tamper Protection, but if we can automate that it would be the best thing we could do because then we could do unattended installs with Vagrant and the like.. It would be amazing

day1player avatar Oct 17 '23 15:10 day1player

Even if we could automate killing Defender, but require Tamper Protection to be disabled, that would be a step in the right direction. The issue is that I believe doing it through group policy requires a reboot, so we would have to figure out how to wrap that into the install.. I think that would get confusing and might require some creative thinking with Boxstarter

day1player avatar Oct 17 '23 15:10 day1player

Commando-vm README also includes detailed instruction to do this manually: https://github.com/mandiant/commando-vm

Ana06 avatar Oct 18 '23 10:10 Ana06

From https://github.com/mandiant/VM-Packages/issues/837#issuecomment-2011870798:

Uninstall-WindowsFeature -Name Windows-Defender

Has someone else tried this?

Ana06 avatar Apr 03 '24 10:04 Ana06

I did try it, but I believe it is only a feature for Windows Server builds, which is why it error's out for me. https://learn.microsoft.com/en-us/powershell/module/servermanager/uninstall-windowsfeature?view=windowsserver2022-ps Uninstalls specified Windows Server roles, role services, and features from a computer that is running Windows Server

image

FWIW, I was able to simply add most of the Registry Keys from this blog post and only needed to manually disable Tamper Protection, and it seemed to disable Defender for me: https://www.maketecheasier.com/permanently-disable-windows-defender-windows-10/

emtuls avatar Apr 03 '24 16:04 emtuls