Windows 10 News and info | Forum
September 23, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Malware can no longer disable Microsoft Defender via the Registry  (Read 12 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31810

I Do Windows

WWW Email
« on: August 21, 2020, 02:14:17 PM »

Microsoft has removed the ability to disable Microsoft Defender and third-party security software via the Registry to prevent malware from tampering with protection settings.

Since Windows Vista, users have been able to disable Microsoft Defender completely, and potentially other third-party security software, through the use of the 'Turn off Microsoft Defender Antivirus' group policy setting.

Turn off Microsoft Defender Antivirus group policy

When the policy is enabled, a 'DisableAntiSpyware' Registry value is created and set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender key, as shown below.

DisableAntiSpyware value

Once enabled, this key will turn "off Microsoft Defender Antivirus, as well as third-party antivirus software and apps."

In an update to the DisableAntiSpyware documentation, Microsoft states that the DisableAntiSpyware value will now be ignored and no longer used to disable antivirus software.

"DisableAntiSpyware is intended to be used by OEMs and IT Pros to disable Microsoft Defender Antivirus and deploy another antivirus product during deployment. This is a legacy setting that is no longer necessary as Microsoft Defender antivirus automatically turns itself off when it detects another antivirus program. This setting is not intended for consumer devices, and weíve decided to remove this registry key. This change is included with Microsoft Defender Antimalware platform versions 4.18.2007.8 and higher KB 4052623. Enterprise E3 and E5 editions will be released at a future date. Note that this setting is protected by tamper protection. Tamper protection is available in all Home and Pro editions of Windows 10 version 1903 and higher and is enabled by default. The impact of the DisableAntiSpyware removal is limited to Windows 10 versions prior to 1903 using Microsoft Defender Antivirus. This change does not impact third party antivirus connections to the Windows Security app. Those will still work as expected."

Microsoft also stated that if a user removes their installed antivirus solution, Windows Defender will automatically turn back on to protect them.

"Consumers may choose to run another AV solution, but if for any reason that solution is turned off, Microsoft Defender AV will turn itself back on to ensure there is no gap in protection for the user. This change does not impact third party antivirus connections to the Windows Security app. Those will still work as expected," Microsoft told BleepingComputer.

Microsoft may not be telling the whole story

Just like Windows administrators have known about the DisableAntiSpyware group policy, malware developers have as well.

BleepingComputer has reported on numerous malware infections, including TrickBot, Novter, Clop Ransomware, Ragnarok Ransomware, and AVCrypt Ransomware who have abused this group policy to try and disable antivirus protection in Windows.

With the release of Windows 10 1903, Microsoft introduced a new feature called Windows Tamper Protection that prevents Windows Security and Microsoft Defender settings from being changed by programs, Windows command-line tools, Registry changes, or group policies.

Unfortunately, adding the DisableAntiSpyware Registry value still briefly worked even when Tamper Protection is enabled.

If a malware added the DisableAntiSpyware value to the Registry, and then rebooted the computer, on reboot Tamper Protection would remove the value.

Windows Security, though, would still be disabled for that session until the computer is rebooted again.

Microsoft Defender disabled by DisableAntiSpyware value

This method allowed malware to run unchecked by Microsoft Defender or other security software.

As Microsoft Defender now ignored the DisableAntiSpyware value, Windows 10 users have far greater protection from threats that tried to disable security software using this technique.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page August 22, 2020, 01:13:29 AM