Author Topic: Malware can no longer disable Microsoft Defender via the Registry  (Read 74 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com


Microsoft has removed the ability to disable Microsoft Defender and third-party security software via the Registry to prevent malware from tampering with protection settings.

Since Windows Vista, users have been able to disable Microsoft Defender completely, and potentially other third-party security software, through the use of the 'Turn off Microsoft Defender Antivirus' group policy setting.


Turn off Microsoft Defender Antivirus group policy

When the policy is enabled, a 'DisableAntiSpyware' Registry value is created and set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender key, as shown below.


DisableAntiSpyware value



Once enabled, this key will turn "off Microsoft Defender Antivirus, as well as third-party antivirus software and apps."

In an update to the DisableAntiSpyware documentation, Microsoft states that the DisableAntiSpyware value will now be ignored and no longer used to disable antivirus software.

Quote
"DisableAntiSpyware is intended to be used by OEMs and IT Pros to disable Microsoft Defender Antivirus and deploy another antivirus product during deployment. This is a legacy setting that is no longer necessary as Microsoft Defender antivirus automatically turns itself off when it detects another antivirus program. This setting is not intended for consumer devices, and we’ve decided to remove this registry key. This change is included with Microsoft Defender Antimalware platform versions 4.18.2007.8 and higher KB 4052623. Enterprise E3 and E5 editions will be released at a future date. Note that this setting is protected by tamper protection. Tamper protection is available in all Home and Pro editions of Windows 10 version 1903 and higher and is enabled by default. The impact of the DisableAntiSpyware removal is limited to Windows 10 versions prior to 1903 using Microsoft Defender Antivirus. This change does not impact third party antivirus connections to the Windows Security app. Those will still work as expected."

Microsoft also stated that if a user removes their installed antivirus solution, Windows Defender will automatically turn back on to protect them.

"Consumers may choose to run another AV solution, but if for any reason that solution is turned off, Microsoft Defender AV will turn itself back on to ensure there is no gap in protection for the user. This change does not impact third party antivirus connections to the Windows Security app. Those will still work as expected," Microsoft told BleepingComputer.

Microsoft may not be telling the whole story

Just like Windows administrators have known about the DisableAntiSpyware group policy, malware developers have as well.

BleepingComputer has reported on numerous malware infections, including TrickBot, Novter, Clop Ransomware, Ragnarok Ransomware, and AVCrypt Ransomware who have abused this group policy to try and disable antivirus protection in Windows.

With the release of Windows 10 1903, Microsoft introduced a new feature called Windows Tamper Protection that prevents Windows Security and Microsoft Defender settings from being changed by programs, Windows command-line tools, Registry changes, or group policies.

Unfortunately, adding the DisableAntiSpyware Registry value still briefly worked even when Tamper Protection is enabled.

If a malware added the DisableAntiSpyware value to the Registry, and then rebooted the computer, on reboot Tamper Protection would remove the value.

Windows Security, though, would still be disabled for that session until the computer is rebooted again.


Microsoft Defender disabled by DisableAntiSpyware value

This method allowed malware to run unchecked by Microsoft Defender or other security software.

As Microsoft Defender now ignored the DisableAntiSpyware value, Windows 10 users have far greater protection from threats that tried to disable security software using this technique.

source