How to permanently disable Microsoft Defender Antivirus on Windows 10
Windows 10 is equipped with a mechanism to automatically enable Microsoft Defender Antivirus after rebooting, even if it is set to be disabled.
This mechanism generally helps to protect the device, but for security researchers, there are times when they want to disable it, such as when analyzing malware, verifying vulnerabilities, or playing CTF.
In this article, I will show you how to keep Microsoft Defender Antivirus disabled in Windows 10 even after a reboot.
Summary of Method
I was able to disable Microsoft Defender Antivirus by using Autoruns to stop all startups related to it.
For this operation, it was necessary to manually disable the Real-time protection beforehand.
I tried to find a way to disable it with a command, but Microsoft Defender Antivirus is more difficult to disable than I thought, and I couldn’t find a way to do it on Windows 10, which is close to the latest version.
Environment
- Microsoft Windows 10 Pro 1909 [Version 10.0.18363.1316]
Get Autoruns
- Autoruns for Windows — Windows Sysinternals | Microsoft Docs
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Turn off the Real-time protection.
Enter Tamper Protection in Start and turn off the Real-time protection setting.
Stop Microsoft Defender Antivirus related startups
Run Autoruns (Autoruns64.exe) with administrative privileges.
Open the options and uncheck all items except Hide Empty Locations.
Next, enter Windows Defender in the filter field.
Uncheck all items except PolicyAgent in the following two categories. Please note that the displayed contents may differ slightly depending on your environment.
- Task Scheduler
- HKLM\System\CurrentControlSet\Services
Then reboot, and Microsoft Defender Antivirus will be permanently disabled.
Checking the status
- Get-Service WinDefend
PS C:\> Get-Service WinDefend
Status Name DisplayName
------ ---- -----------
Stopped WinDefend Microsoft Defender Antivirus Service
- Get-MpPreference
PS C:\> Get-MpPreference
(snip)
DisableRealtimeMonitoring : True
Note
Some articles say that it can be disabled by installing third-party anti-virus software, but I haven’t tried it because it didn’t suit my purpose this time.
References
Successful Methods
- Can’t disable Windows Defender by using group policies — Microsoft Q&A
https://docs.microsoft.com/en-us/answers/questions/234111/can39t-disable-windows-defender-by-using-group-pol.html - Unable to disable Windows Defender on 1909 Solved — Windows 10 Forums
https://www.tenforums.com/antivirus-firewalls-system-security/167105-unable-disable-windows-defender-1909-a.html - Turn off antivirus protection in Windows Security
https://support.microsoft.com/en-us/windows/turn-off-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960
Other methods
- Manage and Disable Windows Defender Using PowerShell — TheITBros
https://theitbros.com/managing-windows-defender-using-powershell/ - DisableAntiSpyware | Microsoft Docs
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - How do I completely turn off Windows Defender from PowerShell? — Server Fault
https://serverfault.com/questions/873522/how-do-i-completely-turn-off-windows-defender-from-powershell - flare-vm/install.ps1 at master · fireeye/flare-vm · GitHub
https://github.com/fireeye/flare-vm/blob/master/install.ps1
About Microsoft Defender Antivirus
- Microsoft Defender — Wikipedia
https://en.wikipedia.org/wiki/Microsoft_Defender - How to manage Microsoft Defender Antivirus with PowerShell on Windows 10 | Windows Central
https://www.windowscentral.com/how-manage-microsoft-defender-antivirus-powershell-windows-10
Appendix: A collection of methods that did not work on Windows 10 1909
Set-MpPreference -DisableAutoExclusions $true
If you search for Windows Defender Disable in Windows 10, you will find many articles that say you can disable it by typing Set-MpPreference -DisableAutoExclusions $true in Powershell, but I could not reproduce it.
Get-Service WinDefend | Stop-Service -Force
FLARE-VM tries to disable it by running commands such as Get-Service WinDefend | Stop-Service -Force in Powershell, but as far as I could tell, I could not reproduce this either.
PS C:\> Get-Service WinDefend | Stop-Service -Force
Stop-Service : Service 'Microsoft Defender Antivirus Service (WinDefend)' cannot be stopped due to the following error:
Cannot open WinDefend service on computer '.'.
At line:1 char:25
+ Get-Service WinDefend | Stop-Service -Force
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service],
ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommandEnable Turn off Microsoft Defender Antivirus in Group Policy
There are some articles that say you can disable it by enabling Turn off Microsoft Defender Antivirus in Group Policy, but as far as I checked, it was forced to be changed to unconfigured by rebooting, so I could not disable it in the way I wanted.
Add DisableAntiSpyware to the registry.
There are some articles that say you can disable it by adding DisableAntiSpyware to the registry, but as far as I checked, I was not able to reproduce it. (There are articles that say that the specifications have been changed so that this will not work.)
Original Article
- Microsoft Defender Antivirus を無効化する — setodaNote
https://soji256.hatenablog.jp/entry/2021/02/11/070000
Update History
- 2021/02/15 New.
