Can you DISABLE Windows Defender Antivirus? 

Would you mind filling me in on what you are referring to by "other stuff" and "basic experience with the registry?" And how I could make my videos better organized?

@@_JohnHammond It might be better to explain that certain commands will fail, because they require admin. After some programs were blocked, I did not see any attempts to allow the thread as a limited user. I would assume it requires admin. For the registry, if you export a key, you will notice that there is a header on the first line, which you did not add. Take a moment to read the errors and think how to overcome them, then do so. You pretty must left the entire video with no results: what does each script or tool do? Does it change any registry settings, which? What is the end result? I had disabled Defender manually, I mean the protected service. It didn’t give up easily. I had to do it offline, then there are two more services that watch it's back and will re-enable it. There's a big difference on performance, especially when you compile large projects, though I have a hunch there is more work to get rid of any low-level file-system filters and drivers. I wouldn’t trust running random executables on a development machine. Scripts and registry changes are more trustworthy. Deleting Defender program files: I would assume the Defender needs to be stopped; any shell-extensions unregistered and not in use; trusted installer credentials: admin may not be enough. There's not much point in that anyway, so long as it is disabled. I can tell the video is dedicated to actually bypassing the security rather than running with Defender disabled, hence either the title is not suitable or it needs more material to fully cover the topic. Also I remember on the previous video I watched about reverse shell, once the base64 was detected by cloud protection, you said you still have a working shell, but did not try running a command to confirm. A remote shell does not have a concept about terminal window size. It's plain text. You do seem to have good experience with PowerShell. I personally find it hard to remember any commands, so I'd rather switch to a UNIX machine or save them to a text file. A good habit of your indeed. Good luck, John! Oh, and since you are into security, I can point you to a web server that I think is pretty had to exploit. Let m know if you want to give it a go.

@@GeorgeValkov Hi. I need more information to reproduce disabling defender.

Lol who even are you

@@AKU666 Disable the following services: SgrmAgent SgrmBroker WinDefend wscsvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services Start = 4 You must modify the registry offline, from another installation of Windows.

You need to make a custom loader for metasploit shellcode to use it undetected.

@@tb-mn3po Oh yeah, I'm sure there's good ways around it, but trying to follow along with whatever guide I'm going through that's focused on a different aspect, it's nice to not have to worry about that aspect.

@@tb-mn3po link us something on this please

So why not use Linux ?

I love Chris and John for diffrent reasons. All of you should too!

Uninstalling it may be hard but disabling it is easy so idk what people are talking about

just do gpedit to nerf real time protection, then disable fraud (?) protection check mark in defender settings. But ngl, i am not sure how to disable defender completely, as i only needed to nerf real-time invasive deletion of files. Maybe if i had purpose

@Joshua F Me too, how could you have guessed it?

DOH, I am an idiot. Super sorry and thanks for the great catch. To add to the test I reverted to my snapshot, added those lines, and had the new error "Cannot import C:\Users\lowpriv\Desktop\windefender_disable.reg: Error accessing the registry." :)

@@_JohnHammond Nice and you're not an idiot! Sometimes the obvious things slip our minds. I had doubts it would work too. Giving access to registry to a low privileged user would be like handing a gun to a child. Microsoft's security has improved a lot over the years.

Wdym exactly by not using an antivirus. did you disable defender or do you just dont have a third party one

@@kaaaxcreators I disable real time and cloud delivered protection.

@@TurntableTV May I ask why

I wanted to add that uac bypasses, at least the majority, can be stopped by setting your uac settings to be as strict as possible, rather than the default level.

This is cool but some AVs have also tamper protection technology such as self defense in Kaspersky Cloud security ! So the exclusions technique that you are talking about won't work even with admin privs except on Windows defender + some UAC bypass + some 0day in order for it to work in real life.. But the main problem is the admin priv as what john said in the video

@@jamieeccleston2988 using reg tweaks ? Or group policies ? So it can prompt you to enter the password each time ?

@@_AN203 On windows defender the exclusion technique does work, and you don't need any 0day. I did mention that the exclusion technique wouldn't work on other AV products, but you can do other things there, like I said.

You still have bigger issues than defender.

I wonder if it works differently between Windows 10 and 11 maybe? I've been really happy with Defender at home, and seeing how well it works as a Security Analyst at work. I remember running Responder on my VM network in my home lab and forgetting to isolate the network from my home network with my work laptop on it. Sure enough, we got a bunch of alerts in Sentinel that logged and alerted us to the Responder traffic that hit my machine. My co-worker pinged me and said "What the heck are you doing at home!? :D" It definitely seems like a bit of a silly article if the crux of the argument is "well if you have Admin permissions" since that opens up most anything to attack, which is why it's something to be so wary of.

I used windows defender and I didn't used any antivirus from the first time I got my PC(5-6 years ago) and will not use anything else. From my opinion Microsoft does everything as soon as possible to keep the defender and windows up to date

i use kaspersky :)

@@nissanswain431 You know this video is about Microsoft/Windows Defender eh? Not Bitdefender.

But in task manager see the resource usage man yes i want security but it uses alot of power & memory

Windows defender is probably the best performing AV given its capabilities, I wouldn’t trust anything that has “lighter performance”

You are correct. He also mentioned the services and drivers, but these cannot be stopped by admin either. In terms of disabling it, the best i managed to do was place it in passive mode.

It is actually not secure enough. I can give you a program, if you execute it, it won't be detected and in 10 minutes your windefender would not work anymore. After that I could do whatever I want. I would tell them to get bitdefender. As Kaspersky isn't really 100% secure anymore with the whole russia situation.

@@tb-mn3po corporatw shill. Any AV can be defeated.

However that being said, I think the video does a good job illustrating how effective defender can be at it's job

Do you have to have admin permissions to adding to the exclusion list? (I'd imagine you'd have to). If so, I don't see too big of a vulnerability, but anyone with a little bit of knowledge once they have admin rights could destroy, or atleast temporarily disable, almost any antimalware in the consumer sector

@@kadragon3764 yes you do and I didn't get to watch more of the video till my break so didn't realize he was using a non elevated account. For that you would def need to escalate your privledges first.

Like fodhelper.exe uac bypass which is still not patched since 2017?

decent is not good enough

You're supporting Putin by using Kaspersky

@@LooneyTunes88Lol… how did anti-virus applications turn political🫣 Fact is, Windows Defender is unable to preform that tasks I need. Kaspersky does what I need it too. I don’t care what county it’s from. One works better for me than the other😂

I can't think of a reason I would want to in everyday life, but it is useful to disable it for studying Pen Testing things when you're trying to just get the fundamentals down. I've been working on Windows Pen Testing study lately, and while it's not "realistic" it is nice to disable Defender so that there isn't something to potentially catch the exploit and cause it to fail, while you're stuck sitting there thinking you did something wrong or the exploit itself is broken. It makes it a lot easier to learn the fundamentals of how things work after which you can graduate to working on evading things like Defender once you understand the how and why of an exploit.

I have done a dissertation in cybersecurity, in that dissertation I wanted to show and monitor the system AFTER the execution of the malware. Therefore since my focus was not on how a malware can trick the AV I just disable the AV an execute it. I think those are the situation where you want your AV off , even though ,those experiments are done in a sandbox environment. Other reasons why would you like your AV off on your main computer is to execute different false positive files.

The perspective is from the attackers pov. Phished user runs the malware that stomps MS Defender and the malware is free to connect back.

Basically, yes. However the industry is moving towards EDR, at least in a business setting (requirement for cybersecurity insurance). Pretty much all of those offer uninstall protections and kill off anything that attempts to disable.

Unless you practice good security hygiene (and I know you do, ofcourse ;) you can easily be in a worse place on a Linux box then on a Windows box. I've seen way too many folks on badly configured Linux boxes, installing binaries left and right and running all kinds of untrusted scripts as root.

@@B-a_s-H TL;DR - That's definitely more of a user issue, not a Linux problem. I do know what your saying, as I have seen things like this myself and was there at one point. It's most always due to newer users who are coming from Windows and expecting to just use the same methods to install software. It's a learning issue, one I have deemed "windows poisoning" (expecting to use a completely different OS and expect same results) -- true for MacOS as well. Not to say I am a hater of Windows, because it has it's place, but I would gamble to say the malicious area is 99% a Windows issue which is a very known targeted OS for scammers, viruses, etc. With Linux, most everything is open-source so if you don't trust a piece of software, it's quite easy to use the source code and compile it yourself, and no, you don't have to be a "super geek" to do that. Literally every Linux distro has repos for packages that are safe to install with builtin package management. Windows has no such thing afaik, everything is not approved by Microsoft. Every Linux OS an entire approval process. Then we add the fact that on Windows, you are expected to goto a 3rd party website to download an exe (binary) to install, many of which are malicious (installs extra software, etc). On Linux, this simply does not happen since everything is safely stored on approved distro repos with hash checks on all installed software prior to installing, and again, 99.99% of it is open-source which on Windows bases OS-es, that's almost completely opposite so you really have no idea what you are running when you launch software. I wont even get started with the security implications of even just merely using a modern Windows OS. The only way to be "unsafe" on Linux so to speak is to manually add repos/software from untrusted sources, or as you said, run random scripts without actually knowing how it impacts your system which is just plain stupid. True of any OS really. If you don't understand something and end up breaking your system, that's on you. Lazy approaches never have a good outcome right? Arch Linux has an AUR for example where something like that could happen, but I've yet to ever see it. Even when I was new to Linux, I had no problems with software maliciousness. I did break my own system quite a few times, but it's also because I was learning. I used to have the similar things happen on Windows years ago when I was new to that. The takeaway here is to not use a new OS you are unfamiliar with as a daily driver until you actually learn it properly. If a user is depending on installing from unknown software sources in Linux and running random "magic" scripts, instead of using builtin package managers or properly configuring/installing, again that is more of a user issue than an OS issue. Just like Windows, if one takes the time to learn how to properly use Linux, it's really a lot more stable and user-friendly experience than what the stigma and bias says from Microsoft fans. Looking back and another viewpoint, if I could start all over between Linux/Windows, I would much prefer to take the time to learn Linux with all it's amazing capability, security, and stability that what Windows is turning into, an app, which will likely be a subscription service stored on a remove server in the future.

@@terminalvelocity4858 Based asf.

Command prompt un recovery mode is password protected by Admin

@@Kingdd1os no? what do you mean by "protected by admin"? as far as i know, it only happens if you delete something in system32 while on normal mode

Defender is actually a series of services and your other AV supposed to know which part of Defender services/protection to disable during the installation. Defender has the API for other AV to turn those off because of the lawsuits raised by other AV vendor in 2010s. If your other AV doesn't disable Defender properly, it would suggested that your AV isn't doing a good job of setting your system correctly and I would personally not trusting that AV at all.

@@samic Sophos is the AV that was dictated to me to use from on High. It shows Defender as disabled in the GUI after installation, but the AntiMalware Executable service which is part of Defender still is enabled. as such I Rip out defender with this: Uninstall-WindowsFeature -Name Windows-Defender btw, The above command came from Sophos Support, General internet searches, POST 2010, and Avasts website, and Avira's documentation, so there is still something hanky going on with Defender.

@@markgilbert5856 That means Defender is on Passive Mode (it detected 3rd party AV) but Sophos were conflict with it. To be honest any 3rd party AVs I've used has no problem with with Passive Mode but I don't use Sophos so I couldn't comment on it. Completely rip out Defender is actually a bad advice because Defender is a comprehensive protections that 3rd party AV might not provide in their package and Defender will covers it. The reason why it is "EASY" for admin to disable Windows Defender because Kaspersky sued Microsoft for closing kernel hook for AV so Microsoft give them API to turns off Defender or running in Passive Mode. Clearly this video has failed to mention that.

@@samic if only the anti-malware executable, wasn't taking up between 25 and 50% of my CPU. Then i would never remove it. The fact that it eats up more resources than my users use is ridiculous

@@samic Thanks for the gaslighting @samic. The user should have full control of their software on their PC. That's not something Microsoft wants with their free OS.