From 42acf75b82aac5d77594ba36362eff436a09d629 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Thu, 22 Aug 2024 10:46:34 +0200 Subject: [PATCH] win: fix Defender service $128, $385, $393 This commit adds missing Defender services not being disabled and adds disabling of Defender processes that these services run. - Add missing documentation for services - Add disabling of missing Defender services/drivers. - Add disabling of processes of the services for more aggresive disabling. - Add soft-deleting of service files as TrustedInstaller. TODO: Add other updates from `defenderprocess` branch --- src/application/collections/windows.yaml | 264 ++++++++++++++++++----- 1 file changed, 214 insertions(+), 50 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 7137da73..e16b79f9 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -16278,17 +16278,6 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable always running antimalware service - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: ServiceKeepAlive - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # Too good to disable # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 @@ -17407,13 +17396,138 @@ actions: # 3. Try `DisableServiceInRegistry` with `elevateToTrustedInstaller` option as last effort. children: - - name: Disable "Microsoft Defender Antivirus Service" - # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` + name: Disable always running antimalware service docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive + # TODO: revise, research done + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: ServiceKeepAlive # TODO: Is this settin the opposito value?, yes it is, fix it https://github.com/undergroundwires/privacy.sexy/issues/393 + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable fast service startup + docs: |- + TODO: Add docs + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: AllowFastServiceStartup + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender automatic service Launch + docs: |- # TODO: revise, research done + `0` means its turned off [1]. + `1` means Microsoft Defender Antivirus doesn't start [2] + + Online guides usually recommend setting it to `1` [5] [6]. + + Usual default state seams to be `1`. + + It's read by `MpSvc.dll` [3] and `MpClient.dll` [4]. + It means they relate to Defender Antivirus. + + Running another third-party antivirus causes Windows to set the sate to `0` [7]. + Once the antivirus id sisabled, its set back to `1` [7]. + This shows that this gets value `0` once Defender is disabled, because Defender disables + itself when a third-party AV is installed [7]. + + According to tests on fresh installation, this key was missing on fresh installation of Windows + 11 23H2 Pro, but it's missing on Windows 10 22H2 pro. + + [1]: https://www.windowsphoneinfo.com/threads/windows-defender-randomly-turning-off-sometimes.383757/ + [2]: https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating + [3]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L7793 + [4]: https://github.com/WinDLLsExports/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpClient.dll.strings#L2871 + [5]: https://www.ubackup.com/windows-11/turn-off-windows-defender-windows-11.html + [6]: https://www.alphr.com/disable-windows-defender-windows-11/ + [7]: https://www.bleepingcomputer.com/forums/t/770901/defender-detects-but-cant-clean-trojano97mmountsicml/?p=5354622 + [8]: https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: ServiceStartStates + dataType: REG_DWORD + data: '0' # TODO :Many guides tell this, but doesn't `0` make more sense? + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # TODO: Is TrustedInstaller needed? + - + name: Disable Defender running state + docs: |- # TODO: revise, research done + `1` means Microsoft Defender Antivirus doesn't start [1]. + Says oppposite `1` means running [2] [3] + + It restarts when defender updates [4] + + This script sets current state of the service as not running to ensure + stuff depending on it do not run. + + Its read by `MpClient.dll` [5] and `MpSvc.dll` [7]. + It means they relate to Defender Antivirus. + + Windows deletes this key during shut-down or it causes false-positIve dirty shutdown [8]. + A **dirty shutdown** is when a computer system is shut down without going through the proper + shutdown process [6]. + + According to tests on fresh installation, this key had value of `1` by default on Windows + 11 23H2 Pro, but it's missing on Windows 10 22H2 pro. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating + [2]: https://answers.microsoft.com/en-us/windows/forum/all/windows-defender/38f15492-0a80-4ecc-bf59-946ae6f0b591 + [3]: https://answers.microsoft.com/en-us/windows/forum/all/offline-scan-done-event-log-shows-a-problem/06615685-255e-49e5-9541-0c0d0dff1cfa + [4]: https://malwaretips.com/threads/configuredefender-utility-for-windows-10-11.79039/page-44 + [5]: https://github.com/WinDLLsExports/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L3499 + [6]: https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/event-id-41-restart + [7]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L7837 + [8]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L7852 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: IsServiceRunning + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # TODO: Is TrustedInstaller needed? + - + name: >- + Disable "Microsoft Defender Antivirus Service" + (breaks `Set-MpPreference` cmdlet) + docs: |- + This script disables the "Microsoft Defender Antivirus Service" and its associated process (`MsMpEng.exe`). + + This service is known both as "Microsoft Defender Antivirus Service" [1] [2] and "Windows Defender Service" [2]. + It is the primary component of Microsoft Defender Antivirus [2], essential for its functionality [1] [3]. + It runs the `MsMpEng.exe` executable [4] [5]. + This executable is also known as "Microsoft Defender Antivirus service executable" [6] or "Antimalware Service Executable" [1]. + The executable is located at `%PROGRAMFILES%\Windows Defender` [4] [5] [6] on modern Windows versions + and at `%PROGRAMFILES%\Microsoft Security Client` on older versions [6]. + It is crucial for the functionality of Microsoft Defender for Endpoint [6]. + + Disabling this service interrupts the `Set-MpPreference` PowerShell cmdlet. + This cmdlet configures preferences for Windows Defender scans and updates [7]. + Attempting to use this cmdlet after disabling the service results in an error. + Here is an example: + + ``` + $ Set-MpPreference -Force -MAPSReporting 0 + + Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. + Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference. + ``` + + Disabling this service may optimize system performance by reducing resource usage. + + > **Caution:** Disabling this service: + > - May impair your ability to configure Defender scans and updates using PowerShell. + > - Decreases your security by affecting real-time malware protection. ### Overview of default service statuses @@ -17421,6 +17535,14 @@ actions: | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ "Microsoft Defender Antivirus Service - Windows 10 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240609144111/https://batcmd.com/windows/11/services/windefend/ "Microsoft Defender Antivirus Service - Windows 11 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [7]: https://web.archive.org/web/20240609150331/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" call: - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17430,15 +17552,26 @@ actions: serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual elevateToTrustedInstaller: 'true' - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 - # function: SoftDeleteFiles - # parameters: - # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + # - + # fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MsMpEng.exe' + # TODO: Above does not exist on W11 23H2, exists on w10? + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # TODO: Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + # grantPermissions: false # ❌ Does not work on Windows 10 22H2 and Windows 11 22H2 + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 11 23H2 | TODO: Did not test on Windows 10 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsMpEng.exe - category: Disable Defender kernel-level drivers children: - # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only + # Exclusions: + # - `wdnsfltr`: + # ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service docs: |- @@ -17544,11 +17677,16 @@ actions: serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual elevateToTrustedInstaller: 'true' - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 - # function: SoftDeleteFiles - # parameters: - # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + # - + # fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\NisSrv.exe' + # TODO: Above does not exist on W11 23H2, exists on w10? + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' + # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + elevateToTrustedInstaller: 'true' # ✅ Works on Windows 11 23H2 | TODO: Did not test on Windows 10 22H2 + # grantPermissions: false # ❌ Does not work on Windows 10 22H2 and Windows 11 22H2 - name: Disable Microsoft Defender Core Service docs: |- @@ -17606,14 +17744,13 @@ actions: # It requires computer restart as it cannot terminate the process but can prevent its future execution. parameters: executableNameWithExtension: MpDefenderCoreService.exe - # - - # Commented out because it does not work due to permission errors. - # # Marked: SoftDeleteFilesAsTrustedInstaller - # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. - # function: SoftDeleteFiles - # parameters: - # fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDefenderCoreService.exe' - # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles # TODO: Test, update comment + parameters: + fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpDefenderCoreService.exe' + # TODO: Does not exist in W11 23H2, exists on W10? + # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + elevateToTrustedInstaller: 'true' - function: ShowComputerRestartSuggestion - @@ -19155,6 +19292,33 @@ actions: parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthService.exe + - + name: Disable "Windows Security Service" service libraries # TODO: + code: |- + del /f "\SecurityHealthCore.dll" + del /f "\SecurityHealthSsoUdk.dll" + del /f "\SecurityHealthUdk.dll" + - + name: Disable "Windows Security Center" service + docs: |- # TODO: Add doc + https://batcmd.com/windows/11/services/wscsvc/ + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistry # TODO: not tested + parameters: + serviceName: wscsvc # Check: (Get-Service -Name 'wscsvc').StartType + defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\wscsvc.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - category: Disable Defender user interface children: @@ -29861,13 +30025,7 @@ functions: # Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them. # It does not touch any of the folders. # This allows for easier restoration and less immediate disruption compared to permanent deletion. - # 🤓 Implementation: - # 1. (with `grantPermissions`:) Elevate script privileges. - # 2. Iterate every file in the given directory, and for each file: - # - (with `grantPermissions`:) Grant permissions to file to be able to modify it. - # - Rename the file. - # - (with `grantPermissions`:) Restore permissions of the file to its original state - # 3. (with `grantPermissions`:) Remove elevated script privileges. + # Try `grantPermissions` to elevate privileges first then `elevateToTrustedInstaller` as last effort. parameters: - name: fileGlob - name: grantPermissions # Grants permission on the files found, and restores original permissions after modification. @@ -29876,21 +30034,24 @@ functions: optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true + - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true call: - function: Comment parameters: codeComment: >- - Soft delete files matching pattern - {{ with $grantPermissions }}(with additional permissions){{ end }} - : "{{ $fileGlob }}" + Soft delete files matching pattern: "{{ $fileGlob }}" + {{ with $grantPermissions }}with additional permissions{{ end }} + {{ with $elevateToTrustedInstaller }}as TrustedInstaller{{ end }} revertCodeComment: >- - Restore files matching pattern - {{ with $grantPermissions }}(with additional permissions){{ end }} - : "{{ $fileGlob }}" + Restore files matching pattern: "{{ $fileGlob }}" + {{ with $grantPermissions }}with additional permissions{{ end }} + {{ with $elevateToTrustedInstaller }}as TrustedInstaller{{ end }} - function: IterateGlob parameters: + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' pathGlob: '{{ $fileGlob }}' revertPathGlob: '{{ $fileGlob }}.OLD' recurse: '{{ with $recurse }}{{ . }}{{ end }}' @@ -30996,9 +31157,12 @@ functions: optional: true - name: recurse # If set, includes all files and directories recursively. optional: true + - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true call: - function: RunPowerShell + function: RunPowerShellWithOptionalElevation parameters: + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' code: |- $pathGlobPattern = "{{ $pathGlob }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)