PERMANENTLY TURN OFF Windows Defender on Windows 11

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

why would you ever want to disable Windows Defender your antivirus installed on your Windows computer well there are a couple different reasons uh you might be doing things for security research you might be learning penetration testing you might be studying red team and you might be digging into vulnerabilities and exploits and just trying to learn more in that case it can be handy to try and remove Defender and get it out of your way for the things that you're testing and experimenting with I agree that there isn't normally a use case for this because hey if you're running an organization if you've got a business a company something that you want to keep these machines secure as you should your antivirus should be on and Windows Defender is a fine candidate for that but in this video I want to show you how you can remove Defender and get it out of your way for virtual machines or for sandboxes that you are practicing and playing offensive Security in let's dive in before we get started let me add the disclaimer that this is certainly not my own original idea this is from another great researcher and great sys admin over in the Netherlands I believe his name is Rudy um and this is online at lazy the admin.nl you can track down hey Windows 11 turning off Windows Defender permanently now I know that hey when you're playing and Pen testing around and doing some shady stuff you might see Defender turn itself back on even after you've turned it off and that can be a little bit annoying hey even if you've got tamper protection out of the way it still comes back to life magically some way or another so this will show you here's how to hardcore kill this thing and this is all explained in this article give want to give credit where credit is due uh he's really showcasing the great stuff here and if you have more interest in reading this I'll drop that link in the description you can certainly go through this but if you want to just watch it see how it happens that's what this video is for Rudy does showcase this exact problem hey you might turn off real-time protection through the GUI or the settings but it will just automatically turn back on so here's how we can Nerf this thing for real okay so I'm working in my windows 11 virtual machine that I've created in some previous videos I am going to be working out of the local admin account rather than the low privilege user account so to start us off here I do want to show us the current and active settings of Defender it is on and working by default so if I go ahead and open up the start menu check out the virus and threat protection settings open this up here you can see hey protection is enabled it is not really needed to make any changes it's all on green check boxes all the way around no current threats but it has been scanning and doing its thing as it needs to so we could verify that let me go ahead and open up a Powershell session and I will run the command that will normally Trigger amsi or that anti-malware scan interface I'll go ahead and try and invoke Emi cats I don't even have mimikats installed I don't have it set up on this box normally it would get an error as we'll see later but MSI and Windows Defender will try and snarf it up because it says hey this script contains malicious content and has been blocked by your antivirus software defender's doing its thing if we want to triple check that let me go snag an icar file if you aren't familiar an icar file is the standard test file for antiviruses that everything should be able to detect and send the alarms and bells and whistles all after because hey we've decided as a community that's the standard this is known bad and that it's just a testing file to trigger antivirus let me Google icar test file here we go all right let's scroll down on icar.org go ahead and download this icar.com yep I know Edge isn't going to want to play with it I'd say okay let's go ahead and save this file I'll slap it on my desktop there we go uh if I try to open it oh operation did not complete successfully because it contains a virus or potentially unwanted software and you can see Defender was like nope not gonna let that happen and if I refresh yet again I believe that should be nerfed and killed and eaten by Defender soon enough cool you can see the protection history and you can see that it did block one of these previous ones yep let's go see what that is and that was a Powershell trying to run Mimi cats just a moment ago and our icar test file obviously now we want to see if we can disable or remove or kill Defender first things first we're going to want to boot into safe mode we can do that super duper easily by opening up Ms config running it in the Run dialog box I hit the Windows key and r on my keyboard but you could just find that hey through the start menu if you want to click on some of those that is all that you should need to do what we'll end up doing is we're switching into the boot Tab and then we'll grab the safe boot option and go ahead and keep minimal as a default you can hit apply hit OK and then it says hey you'll need to restart your computer to apply these changes before restarting save any files blah blah blah we can go ahead and restart okay I'm booted back into safe mode uh while this is cruising through here I do want to add the note hey I don't really think this is a viable thing that a remote threat actor could do so I wouldn't be concerned oh how hackers or attackers could Bypass or kill Defender with this method cruising into safe mode and doing some of this next Shenanigans I don't think is really feasible uh Hey from a that targeted perspective of oh I'm brute forcing by RDP or I'm fishing an individual you don't really have all that access to cruise into safe mode as you normally would being physically or looking at the machine with your own eyes right uh I do think this is still worthwhile and something good to do for your own lab environment or your virtual sandbox where you get to practice and Play and Learn so I'm gonna hit the Windows key and R yet again so I can open up the file explorer and I'm going to navigate to C program data Microsoft it's Windows Defender though I can see it as a second result excellent okay and I'm gonna go check out this platform folder what I want to do is I want to go ahead and right click on this platform folder check out the properties and I'm going to open up this security portion here and I'm going to go into the advanced settings now I'm going to try and take ownership of this folder by changing the owner right now it is currently system but I'm going to go ahead and hit that change button and type in administrators I'll hit uh enter on that and now it'll notice okay everything in my local computer this is the hostname desktop l31m0v1 administrators will be the owner of this folder now I'll go ahead and remove all of the previous owners noted here other than my own administrators group and I'm going to hit this replace all child object permission entries when inheritable permissions entries from this object and I can go ahead and change the owner to be kind of recursive down replace owner on all these sub containers and objects within this directory if I go ahead and click apply there we go this will replace explicitly to find permissions on all descendants of the object do you want to continue yes I do you have just taken ownership of the object you'll need to reopen the object properties before you can view or change permissions so we'll go ahead and click ok I'll hit OK once more to close out of that and just just to verify I will double check these properties here moving the security Tab and if I check out the advanced it looks like it is still owned by myself the administrator's trusted installer has been removed and we can bounce out of here now the article suggests one other alternative method to try and remove Defender within Windows 11 and modern versions of Windows operating systems and that is cruising through the registry we can do the very very same I think it's good to just do that while we're here in safe mode because hey we got the power so since we are in safe mode I will hit Windows key and R yet again to run open up the Run dialog box and I'll open the Windows registry editor and here I will navigate into hkey local machine system current control set services and you'll want to go through and change some of these to have their startup value set to a unique specific d word or 32-bit value we need sense there it is change that start value to the number four hit OK on that let's do the same with wdboot Windows Defender here changing that to a four I need WD filter I need WD nist drive wdness service just beneath it and finally win defend down here with that we should be all set the registry changes have been made we have taken ownership of it okay and now that that is all set I'm going to open up Ms config one more time with Windows key and R and we can go ahead and change this back for the boot settings do not use safe mode or safe boot because we want to get back to a regular full desktop environment it says hey you made it restart your computer to apply these changes yep totally cool we do want to go ahead and restart okay now that we are booted up and logged back in we should be able to go ahead and check out our virus and security Center here the threat protection portion here and this notion of our real-time protection is just kind of dead it's got this hey getting protection info infinite Loop here it's going to try and load but it never particularly will because we've nerfed it out inside of safe mode and I'll show that to you super duper quick if I actually open up Powershell I'll zoom in on this if I try to invoke mimikats something that would it regularly Trigger amsi or that anti-malware scan interface normally you get the message oh you probably saw it before hey this contains unwanted or malicious software however now it's just going to tell us hey that's not recognized as the name of a commandlet function or a path you probably are not doing what you wanted to because how you think you're making a mistake it's a command not found right but that means that Defender didn't try and snarf it it didn't eat it because Defender is dead we've nerfed it and we've killed it if we wanted to we can go grab an icar file let me grab an icar test file there we go we can go ahead and download this one here here it is on icar.org we'll go ahead and grab this icar.com and okay Edge is actually whining about it hey just do it anyway there we go here is our standard icar file I'm just going to slap this in the desktop uh it looks like no issues whatsoever we're able to download that obviously we can't particularly run it because it's not legitimate you know but our antivirus did not trigger it Windows Defender has been put to bed and we no longer have to worry about them with that we have killed and removed Windows Defender and it is not in our way for our own testing or on Sandbox environment where you or I or we might go ahead and do some pen testing red teaming playing with offensive security looking through vulnerabilities and exploits this is something that I tend to do on all of my virtual machines that I know I'm going to be doing some of that shady stuff on I'll just create this process and Mark it as a snapshot so I can always get back to it alongside my VMware tools or tools that I've wanted to install uh if I know I'm going to be up to that stuff hey I'll kill Defender and leave it as a checkpoint that I can revert back to thanks so much for watching everybody I hope you enjoyed this video hey please go check out an article and give the original Creator Rudy some love but if you want to support this channel you know like comment subscribe Etc thanks so much everybody I'll see in the next one

Info

Channel: John Hammond

Views: 102,042

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: 81l__vvGnjA

Channel Id: undefined

Length: 10min 55sec (655 seconds)

Published: Thu Aug 18 2022