收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 国外杀毒软件 Microsoft Defender(MSE) windows defender的自我保护
123下一页
返回列表 发新帖
查看: 1920|回复: 27
收起左侧

[技术探讨] windows defender的自我保护

[复制链接]
喀反
发表于 2024-3-19 19:58:46 | 显示全部楼层 |阅读模式
虽然已经4202年了,WD的自保应该已经"无懈可击"了吧?但事实并非我想象的那样,前天在吾爱找到一个能关闭/删除 WD的工具,正常联网情况下肯定被WD落地杀,但只要断网,甚至不用添加排除项,直接运行工具软件,直接可以删除WD包括安全中心,WD全程没任何反应(开了HVCI),就离谱也让我再次对WD的自保产生了怀疑
工具原地址

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

GDHJDSYDH
发表于 2024-3-20 11:24:02 | 显示全部楼层
@ANY.LNK
回复

举报

驭龙
发表于 2024-3-20 13:50:45 | 显示全部楼层
原本我想分析一下是利用系统哪个东西干掉MD的,结果被诺顿ADVML.C干掉了,现在拉黑为Trojan gen mbt,放弃测试了,懒得关闭诺顿来分析
回复

举报

klub
发表于 2024-3-20 17:47:36 来自手机 | 显示全部楼层
@ANY.LNK
回复

举报

喀反
 楼主| 发表于 2024-3-20 20:48:10 | 显示全部楼层
驭龙 发表于 2024-3-20 13:50
原本我想分析一下是利用系统哪个东西干掉MD的,结果被诺顿ADVML.C干掉了,现在拉黑为Trojan gen mbt,放弃 ...

这款工具挺厉害,以前测试过的工具就算断网,运行后还是被WD拦截的,这个全程畅通无阻
回复

举报

驭龙
发表于 2024-3-20 20:58:05 | 显示全部楼层
喀反 发表于 2024-3-20 20:48
这款工具挺厉害,以前测试过的工具就算断网,运行后还是被WD拦截的,这个全程畅通无阻

看你截图,应该是调用系统的功能砍掉MD的,不然不会出现这个情况

评分

参与人数 1人气 +1 收起 理由
喀反 + 1 感谢解答: )

查看全部评分

回复

举报

yfdyh000
发表于 2024-3-22 06:24:06 | 显示全部楼层
落地、扫描都不杀,这是合法的系统工具吧,开源的。

https://github.com/ionuttbara/wi ... oveSecHealthApp.ps1  中调用dism等系统命令删的组件。合法操作。

评分

参与人数 1人气 +1 收起 理由
喀反 + 1 感谢解答: )

查看全部评分

回复

举报

ANY.LNK
发表于 2024-3-23 23:47:55 | 显示全部楼层
yfdyh000 发表于 2024-3-22 06:24
落地、扫描都不杀,这是合法的系统工具吧,开源的。

https://github.com/ionuttbara/windows-defender-r ...

理论上来说微软并不认为调用DISM删除Defender是合法的,之前试过,即使断网情况下用Dism操作也会被拦截(开实时保护的情况下)

目前还不明确为何这个工具能够绕过,我一会儿试试
回复

举报

DisaPDB
发表于 2024-3-24 00:15:02 | 显示全部楼层
看了一眼
  1. Windows Registry Editor Version 5.00

  3. ; Enforce Disabling of Windows Defender Antivirus Policy

  5. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIOAVProtection]
  6. "value"=dword:00000000

  8. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
  9. "PUAProtection"=dword:00000000
  10. "DisableRoutinelyTakingAction"=dword:00000001
  11. "ServiceKeepAlive"=dword:00000000
  12. "AllowFastServiceStartup"=dword:00000000
  13. "DisableLocalAdminMerge"=dword:00000001
  14. "DisableAntiSpyware"=dword:00000001
  15. "RandomizeScheduleTaskTimes"=dword:00000000

  17. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowArchiveScanning]
  18. "value"=dword:00000000

  20. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowBehaviorMonitoring]
  21. "value"=dword:00000000

  23. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowCloudProtection]
  24. "value"=dword:00000000

  26. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowEmailScanning]
  27. "value"=dword:00000000

  29. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanOnMappedNetworkDrives]
  30. "value"=dword:00000000

  32. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowFullScanRemovableDriveScanning]
  33. "value"=dword:00000000

  35. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowIntrusionPreventionSystem]
  36. "value"=dword:00000000

  38. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowOnAccessProtection]
  39. "value"=dword:00000000

  41. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowRealtimeMonitoring]
  42. "value"=dword:00000000

  44. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScanningNetworkFiles]
  45. "value"=dword:00000000

  47. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowScriptScanning]
  48. "value"=dword:00000001

  50. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AllowUserUIAccess]
  51. "value"=dword:00000000

  53. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\AvgCPULoadFactor]
  54. "value"=dword:00000032

  56. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CheckForSignaturesBeforeRunningScan]
  57. "value"=dword:00000000

  59. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudBlockLevel]
  60. "value"=dword:00000000

  62. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\CloudExtendedTimeout]
  63. "value"=dword:00000000

  65. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DaysToRetainCleanedMalware]
  66. "value"=dword:00000000

  68. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupFullScan]
  69. "value"=dword:00000001

  71. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\DisableCatchupQuickScan]
  72. "value"=dword:00000001

  74. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableControlledFolderAccess]
  75. "value"=dword:00000000

  77. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableLowCPUPriority]
  78. "value"=dword:00000001

  80. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\EnableNetworkProtection]
  81. "value"=dword:00000000

  83. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\PUAProtection]
  84. "value"=dword:00000000

  86. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\RealTimeScanDirection]
  87. "value"=dword:00000000

  89. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScanParameter]
  90. "value"=dword:00000002

  92. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanDay]
  93. "value"=dword:00000000

  95. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\ScheduleScanTime]
  96. "value"=dword:00000000

  98. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SignatureUpdateInterval]
  99. "value"=dword:000000018

  101. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Defender\SubmitSamplesConsent]
  102. "value"=dword:00000000

  104. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
  105. "DisableAutoExclusions"=dword:00000001

  107. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
  108. "MpEnablePus"=dword:00000000
  109. "MpCloudBlockLevel"=dword:00000000
  110. "MpBafsExtendedTimeout"=dword:00000000
  111. "EnableFileHashComputation"=dword:00000000

  113. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
  114. "ThrottleDetectionEventsRate"=dword:00000000
  115. "DisableSignatureRetirement"=dword:00000001
  116. "DisableProtocolRecognition"=dword:00000001

  118. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
  119. "DisableScanningNetworkFiles"=dword:00000001

  121. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
  122. "DisableRealtimeMonitoring"=dword:00000001
  123. "DisableBehaviorMonitoring"=dword:00000001
  124. "DisableOnAccessProtection"=dword:00000001
  125. "DisableScanOnRealtimeEnable"=dword:00000001
  126. "DisableIOAVProtection"=dword:00000001
  127. "LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
  128. "LocalSettingOverrideRealtimeScanDirection"=dword:00000000
  129. "LocalSettingOverrideDisableIOAVProtection"=dword:00000000
  130. "LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
  131. "LocalSettingOverrideDisableIntrusionPreventionSystem"=dword:00000000
  132. "LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
  133. "RealtimeScanDirection"=dword:00000002
  134. "IOAVMaxSize"=dword:00000512
  135. "DisableInformationProtectionControl"=dword:00000001
  136. "DisableIntrusionPreventionSystem"=dword:00000001
  137. "DisableRawWriteNotification"=dword:00000001

  139. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
  140. "LowCpuPriority"=dword:00000001
  141. "DisableRestorePoint"=dword:00000001
  142. "DisableArchiveScanning"=dword:00000000
  143. "DisableScanningNetworkFiles"=dword:00000000
  144. "DisableCatchupFullScan"=dword:00000000
  145. "DisableCatchupQuickScan"=dword:00000001
  146. "DisableEmailScanning"=dword:00000000
  147. "DisableHeuristics"=dword:00000001
  148. "DisableReparsePointScanning"=dword:00000001

  150. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
  151. "SignatureDisableNotification"=dword:00000001
  152. "RealtimeSignatureDelivery"=dword:00000000
  153. "ForceUpdateFromMU"=dword:00000000
  154. "DisableScheduledSignatureUpdateOnBattery"=dword:00000001
  155. "UpdateOnStartUp"=dword:00000000
  156. "SignatureUpdateCatchupInterval"=dword:00000002
  157. "DisableUpdateOnStartupWithoutEngine"=dword:00000001
  158. "ScheduleTime"=dword:00001440
  159. "DisableScanOnUpdate"=dword:00000001

  161. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
  162. "DisableBlockAtFirstSeen"=dword:00000001
  163. "LocalSettingOverrideSpynetReporting"=dword:00000000
  164. "SpynetReporting"=dword:00000000
  165. "SubmitSamplesConsent"=dword:00000002

  167. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
  168. "SuppressRebootNotification"=dword:00000001

  170. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
  171. "EnableControlledFolderAccess"=dword:00000000

  173. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
  174. "EnableNetworkProtection"=dword:00000000

  176. [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender]
  177. "DisableRoutinelyTakingAction"=dword:00000001

  179. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware]
  180. "ServiceKeepAlive"=dword:00000000
  181. "AllowFastServiceStartup"=dword:00000000
  182. "DisableRoutinelyTakingAction"=dword:00000001
  183. "DisableAntiSpyware"=dword:00000001
  184. "DisableAntiVirus"=dword:00000001

  186. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet]
  187. "SpyNetReporting"=dword:00000000
  188. "LocalSettingOverrideSpyNetReporting"=dword:00000000

  190. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
  191. "DisableEnhancedNotifications"=dword:00000001
  192. "DisableGenericRePorts"=dword:00000001
  193. "WppTracingLevel"=dword:00000000
  194. "WppTracingComponents"=dword:00000000

  196. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy]
  197. "VerifiedAndReputablePolicyState"=dword:00000000
复制代码

回复

举报

ANY.LNK
发表于 2024-3-24 00:36:42 | 显示全部楼层
事实上,一直以来,篡改保护对于一般用户所能提供的防篡改功能是相当有限的,许多自保功能还得是企业版、MDE才能开启的,大部分设置只要有个管理员及以上权限就能改

评分

参与人数 1人气 +1 收起 理由
喀反 + 1 感谢解答: )

查看全部评分

回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-3 01:24 , Processed in 0.135283 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表