方法一

一、“WIN+R”打開執行,鍵入:services.msc打開服務,找到Windows Defender系列的服務,設定為關閉即可;

 二、打開管理員的命令提示字元,鍵入命令:reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /d 1 /t REG_DWORD /f,完成後重新啟動您的電腦即可;

 如果後悔,需要重新啟用Defender軟體,您可以“Win+R”打開執行,鍵入:regedit打開登錄編輯程序,定位到:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender,刪除“DisableAntiSpyware”這個值後重新啟動電腦即可恢復。

 

方法二

4:代表關閉,若要開啟再改成3

 

方法三

  1. 打開 Windows 安全性: 點擊 開始 → 設定 → 隱私與安全性 → Windows 安全性 → 開啟 Windows 安全性
  2. 進入病毒與威脅防護設定: 在左側選單中選擇 病毒與威脅防護,點擊 病毒與威脅防護設定 下的 管理設定
  3. 關閉即時保護: 將 即時保護 和 雲端傳遞保護 的開關關閉。當系統詢問是否允許更改,選擇 

 

方法四

使用組織原則編輯器

打開組織原則編輯器:  按下  Win + R  打開「執行」,輸入  gpedit.msc ,按下 Enter。

導航到 Defender 設定:  前往  電腦配置 → 管理範本 → Windows 元件 → Microsoft Defender 防毒軟體

  1. 停用 Defender: 在右側找到 關閉 Microsoft Defender 防毒軟體,雙擊該選項,設置為 已啟用,然後點擊 確定
  2. 重啟電腦: 重啟以應用變更。

 

 

使用群組原則編輯器停用 Windows Defender

 

警示:只有在電腦上執行第三方防毒 程式時, 才建議您按照這些步驟停用 Windows Defender。

 

如果您執行的是第三方防毒軟體,並想要停用 Windows Defender,您可以依照下列步驟,在 Windows 中使用群組原則編輯器:

 

  1. 按下鍵盤上的 Windows + R 鍵以開啟命令提示字元,輸入 cmd ,然後按一下 確定
  2. 在命令提示字元中輸入 gpedit.msc ,然後按下 Enter 鍵
  3. 確認 UAC 提示以繼續。
  4. 瀏覽下列路徑以開啟 Windows Defender 設定:本機電腦原則>電腦組態>管理範本>Windows 元件>Windows Defender
    本機群組原則編輯器中的 Windows Defender
  5. 按兩下 Windows Defender 資料夾以開啟設定,並尋找關閉 Windows Defender 原則設定
    gpedit.msc 關閉 Windows Defender 原則
  6. 選取 啟用以 啟用此原則,並關閉 Windows Defender
    gpedit.msc 啟用「關閉 Windows Defender 原則」
  7. 重新啟動電腦以使變更生效。

 

 

使用登錄檔編輯器

  1. 打開登錄檔編輯器: 按下 Win + R 打開「執行」,輸入 regedit,按下 Enter。
  2. 導航到 Defender 路徑: 找到路徑:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  3. 新增停用鍵值: 在右側空白處右鍵點擊,選擇 新增 → DWORD (32 位元) 值,命名為 DisableAntiSpyware,並將其值設為 1
  4. 重啟電腦: 重啟系統以完成設定。

 

方法五

存成批次檔.bat執行之

# disable
  powershell -command 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true'
   
  # Or exclude
  powershell -command 'Add-MpPreference -ExclusionPath "c:\temp" -ExclusionProcess "c:\temp\yourstuffs.exe"'

 

方法六

Powershell

https://learn.microsoft.com/zh-tw/defender-endpoint/microsoft-defender-antivirus-using-powershell

使用 PowerShell 啟用功能

本指南提供 Microsoft Defender 防病毒程式 Cmdlet,可設定您應該用來評估保護的功能。

若要使用這些 Cmdlet:

  1. 開啟已提升許可權的 PowerShell 實例 (選擇 [以系統管理員身分執行]) 。
  2. 輸入本指南中所列的命令,然後按 Enter

您可以使用 Get-MpPreference PowerShell Cmdlet,在開始之前或評估期間檢查所有設定的狀態。

Microsoft Defender AV 表示透過標準 Windows 通知偵測。 您也可以檢閱 Microsoft Defender AV 應用程式中的偵測

Windows 事件記錄檔也會記錄偵測和引擎事件。 如需事件標識碼及其對應動作的清單,請參閱 Microsoft Defender 防病毒軟體事件一文

雲端保護功能

Standard 定義更新可能需要數小時的時間來準備和傳遞;我們的雲端式保護服務可在數秒內提供此保護。

如需詳細資訊,請參閱透過雲端提供的保護,在 Microsoft Defender 防病毒軟體中使用新一代技術

描述PowerShell 命令
啟用 Microsoft Defender Cloud 以進行近乎即時的保護並增加保護 Set-MpPreference -MAPSReporting Advanced
自動提交範例以增加群組保護 Set-MpPreference -SubmitSamplesConsent Always
一律使用雲端在幾秒內封鎖新的惡意代碼 Set-MpPreference -DisableBlockAtFirstSeen 0
掃描所有下載的檔案和附件 Set-MpPreference -DisableIOAVProtection 0
將雲端區塊層級設定為 「高」 Set-MpPreference -CloudBlockLevel High
將雲端區塊逾時設定為1分鐘 Set-MpPreference -CloudExtendedTimeout 50

實時掃描 (一律開啟保護)

Microsoft Defender AV 會在 Windows 看到檔案時立即掃描檔案,並監視執行中的程式是否有已知或可疑的惡意行為。 如果防病毒軟體引擎發現惡意修改,它會立即封鎖進程或檔案執行。

如需這些選項的詳細資訊, 請參閱設定行為、啟發學習法和實時保護

描述PowerShell 命令
持續監視檔案和程式的已知惡意代碼修改 Set-MpPreference -DisableRealtimeMonitoring 0
持續監視已知的惡意代碼行為 – 即使在「乾淨」檔案和執行中的程式中 Set-MpPreference -DisableBehaviorMonitoring 0
在看到或執行腳本后立即掃描腳本 Set-MpPreference -DisableScriptScanning 0
在插入或掛接卸載式磁碟驅動器后立即掃描它們 Set-MpPreference -DisableRemovableDriveScanning 0

潛在的垃圾應用程式保護

潛在的垃圾應用程式 是傳統上未分類為惡意的檔案和應用程式。 這些包括適用於一般軟體的非Microsoft安裝程式、廣告插入,以及瀏覽器中的特定工具列類型。

描述PowerShell 命令
防止灰色軟體、廣告件和其他潛在的垃圾應用程式安裝 Set-MpPreference -PUAProtection Enabled

Email和封存掃描

您可以將 Microsoft Defender 防病毒軟體設定為自動掃描特定類型的電子郵件檔和封存盤 (,例如 Windows 看到) .zip 檔案。 如需這項功能的詳細資訊,請參閱 Microsoft Defender 中的受控電子郵件掃描一文。

描述PowerShell 命令
掃描電子郵件檔案和封存 Set-MpPreference -DisableArchiveScanning 0
Set-MpPreference -DisableEmailScanning 0

管理產品和保護更新

一般而言,您每天會收到 Microsoft Defender 來自 Windows Update 的 AV 更新一次。 不過,您可以設定下列選項來增加這些更新的頻率,並確保在 System Center Configuration Manager、群組原則 或 Intune 中管理更新

描述PowerShell 命令
每天更新簽章 Set-MpPreference -SignatureUpdateInterval
執行排程掃描之前,請先檢查以更新簽章 Set-MpPreference -CheckForSignaturesBeforeRunningScan 1

進階威脅和惡意探索防護和預防受控資料夾存取

Microsoft Defender 惡意探索防護提供的功能可協助保護裝置免於已知的惡意行為,以及攻擊易受攻擊的技術。

描述PowerShell 命令
防止惡意和可疑的應用程式 (,例如勒索軟體) 使用受控資料夾存取權對受保護的資料夾進行變更 Set-MpPreference -EnableControlledFolderAccess Enabled
使用網路保護封鎖對已知錯誤 IP 位址和其他網路連線的連線 Set-MpPreference -EnableNetworkProtection Enabled
使用惡意探索保護套用一組標準的風險降低措施
https://demo.wd.microsoft.com/Content/ProcessMitigation.xml Invoke-WebRequest -OutFile ProcessMitigation.xml
Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml
使用受攻擊面縮小來封鎖已知的惡意攻擊媒介 Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba 52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADCAD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5- 9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556801D275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A 917- 57927947596D -AttackSurfaceReductionRules_Actions啟用
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536- B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93- 3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-4 9e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA993A6D77406C -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 33ddedf1-c6e0-47cb-833e-de6133960387 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7- 1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a 9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6- 9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3FA12568109D35 -AttackSurfaceReductionRules_Actions Enabled

某些規則可能會封鎖您在組織中可接受的行為。 在這些情況下,請將規則從 [已啟用] 變更為 [稽核],以防止不必要的區塊。

啟用竄改保護

在 Microsoft XDR 入口網站 (security.microsoft.com) 中,移至 [設定>端點>] [進階功能>] [竄改保護>]

如需詳細資訊,請參閱 如何? 設定或管理竄改保護

檢查雲端保護網路連線能力

請務必檢查雲端保護網路連線是否可在您的手寫筆測試期間運作。

CMD (以系統管理員身分執行)

  cd "C:\Program Files\Windows Defender"
MpCmdRun.exe -ValidateMapsConnection

如需詳細資訊,請 參閱使用 Cmdline 工具來驗證雲端提供的保護

單選 Microsoft Defender 離線掃描

Microsoft Defender 離線掃描是隨附於 Windows 10 或更新版本的特殊工具,可讓您將機器開機到一般作系統以外的專用環境。 它特別適用於強大的惡意代碼,例如 rootkit。

如需此功能運作方式的詳細資訊,請參閱 Microsoft Defender Offline

描述PowerShell 命令
確定通知可讓您將電腦開機到特製化的惡意代碼移除環境 Set-MpPreference -UILockdown 0

 

存成.ps1執行在Powershell中執行

## IMPORTANT!! ##
#################

######
1. Boot in Safe Mode
2. Disable Windows Update
3. Run powershell as admin
4. Set-ExecutionPolicy RemoteSigned
5. Place script in C:\ and run it

Windows 10/11:
C:\Program Files\Windows Defender - This folder contains the executables and other files for Windows Defender.
C:\ProgramData\Microsoft\Windows Defender - This folder contains data and configuration files for Windows Defender
C:\Windows\System32\drivers\wd\ - This folder contains the Windows Defender driver files.
#>

# Check if user is in Virtual Machine, if not exit
$check_vm = $false
Write-Host "Checking if user is in Virtual Machine." -ForegroundColor Yellow
# Get the computer's model
$computerModel = (Get-WmiObject -Class Win32_ComputerSystem).Model
# Check if the model includes the substring "virtual"
if ($computerModel -like "*virtual*") {
Write-Host "This machine is a virtual machine. Will continue." -ForegroundColor Green
$check_vm = $true
}
else {
Write-Host "This machine is not a virtual machine. Will exit NOW." -ForegroundColor Red
Write-Host "[!] Please USE A VIRTUAL MACHINE." -ForegroundColor Red
exit
}

Write-Host "Checking if user is running as TrustedInstaller." -ForegroundColor Yellow
# Check if the script is running as SYSTEM
if (-Not ($(whoami) -eq "nt authority\system")) {
$CheckSystem = $false
# Check if AdvancedRun is installed in current directory
if (!(Test-Path ".\AdvancedRun.exe")) {
# Download AdvancedRun
$url = "https://www.nirsoft.net/utils/advancedrun-x64.zip"
$output = ".\advancedrun-x64.zip"
Invoke-WebRequest -Uri $url -OutFile $output
# Extract the downloaded file
Expand-Archive -Path $output -DestinationPath "." -Force
# Clean up
Remove-Item $output
}
Write-Host "User is not running as TrustedInstaller" -ForegroundColor Yellow
Write-Host "Elevating to TrustedInstaller" -ForegroundColor Yellow
# Launch AdvancedRun.exe and run script as TrustedInstaller to elevate
& ".\AdvancedRun.exe" /EXEFilename "$PSHOME\powershell.exe" /CommandLine $MyInvocation.MyCommand.Path /RunAs 8 /Run
}
else {
$CheckSystem = $true
Write-Host "Already elevated to TrustedInstaller" -ForegroundColor Green
Write-Host "Will continue script now" -ForegroundColor Yellow
}

if ($CheckSystem) {
Write-Host "Disable all functionnalities (TrustedInstaller privilege)" -ForegroundColor Yellow
# Adding exception for all drive letters (C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z)
# Define an array of all drive letters
$driveLetters = 67..90 | ForEach-Object { [char]$_ }
# Iterate through the array of drive letters
foreach ($driveLetter in $driveLetters) {
# Add an exception for the current drive letter
Add-MpPreference -ExclusionPath "$($driveLetter):\" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "$($driveLetter):\*" -ErrorAction SilentlyContinue
}


# Disable UAC
New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

# Disable list of engines
Write-Host "Disable Windows Defender engines (Set-MpPreference)" -ForegroundColor Yellow
Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableCatchupFullScan $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableCatchupQuickScan $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableCpuThrottleOnIdleScans $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableDatagramProcessing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableDnsOverTcpParsing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableDnsParsing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableEmailScanning $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableGradualRelease $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableHttpParsing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableInboundConnectionFiltering $true -ErrorAction SilentlyContinue
Set-MpPreference -DisablePrivacyMode $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableRdpParsing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableRemovableDriveScanning $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableRestorePoint $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableScanningNetworkFiles $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableSshParsing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableTlsParsing $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableArchiveScanning $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableAutoExclusions $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableIOAVProtection $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction SilentlyContinue
Set-MpPreference -DisableScriptScanning $true -ErrorAction SilentlyContinue
# Set-MpPreference -DisableFtpParing $true -ErrorAction SilentlyContinue
# Set-MpPreference -DisableNetworkProtectionPerfTelemetry $true -ErrorAction SilentlyContinue
# Set-MpPreference -DisableSmtpParsing $true -ErrorAction SilentlyContinue


Write-Host "Set default actions to NoAction (Set-MpPreference)" -ForegroundColor Yellow
# Set default actions to NoAction, so that no alerts are shown, and no actions are taken
# Allow actions would be better in my opinion
Set-MpPreference -LowThreatDefaultAction NoAction -ErrorAction SilentlyContinue
Set-MpPreference -ModerateThreatDefaultAction NoAction -ErrorAction SilentlyContinue
Set-MpPreference -HighThreatDefaultAction NoAction -ErrorAction SilentlyContinue

# Disable Windows Defender.
# editing HKLM:\SOFTWARE\Microsoft\Windows Defender\ requires to be SYSTEM
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
if (Test-Path $registryPath) {
if (!(Get-ItemProperty -Path $registryPath -Name "DisableAntiSpyware")) {
New-ItemProperty -Path $registryPath -Name "DisableAntiSpyware" -Value 1 -PropertyType DWORD -Force
Write-Host "DisableAntiSpyware property has been created." -ForegroundColor Yellow
Write-Host "Windows Defender has been disabled." -ForegroundColor Green
}
elseif ((Get-ItemProperty -Path $registryPath -Name "DisableAntiSpyware").DisableAntiSpyware -eq 1) {
Write-Host "Windows Defender is already disabled." -ForegroundColor Green
}
else {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
Write-Host "Windows Defender has been disabled." -ForegroundColor Green

}
}
else {
Write-Host "Your system does not have the Windows Defender registry key." -ForegroundColor Yellow
Write-Host "Windows Defender is already disabled." -ForegroundColor Green
}

# Delete Windows Defender services from registry (HKLM)
$service_list = @( "WdNisSvc" , "WinDefend")
foreach ($svc in $service_list) {
if ($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc")) {
if ($(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc").Start -eq 4) {
Write-Host "$svc service has already been deleted" -ForegroundColor Green
}
else {
Write-Host "$svc service has been deleted (Please REBOOT)" -ForegroundColor Green
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name Start -Value 4
}
}
else {
Write-Host "$svc service has already been deleted" -ForegroundColor Green
}
}

# Delete Windows Defender drivers from registry (HKLM)
$driver_list = @("WdnisDrv", "wdboot", "wdfilter")
foreach ($drv in $driver_list) {
if ($("HKLM:\SYSTEM\CurrentControlSet\Services\$drv")) {
if ($(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv").Start -eq 4) {
Write-Host "$drv driver has already been disabled" -ForegroundColor Green
}
else {
Write-Host "$drv driver has been disabled (Please REBOOT)" -ForegroundColor Green
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv" -Name Start -Value 4
}
}
else {
Write-Host "$drv driver has already been disabled" -ForegroundColor Green
}
}

Write-Host "Deleting Windows Defender (files, services, drivers)" -ForegroundColor Yellow
# Define the paths to the folders to be deleted
if (Test-Path "C:\Windows\System32\drivers\wd\") {
# If the folder exists, output a message indicating that it was not deleted
Write-Host "The C:\Windows\System32\drivers\wd\ is not deleted." -ForegroundColor Yellow
Write-Host "The C:\Windows\System32\drivers\wd\ will be deleting." -ForegroundColor Yellow
Remove-Item "C:\Windows\System32\drivers\wd\" -Recurse -Force
}
else {
# If the folder does not exist, output a message indicating that it was deleted
Write-Host "The C:\Windows\System32\drivers\wd\ has already been deleted." -ForegroundColor Green
}

if (Test-Path "C:\Program Files\Windows Defender") {
Write-Host "The C:\Program Files\Windows Defender is not deleted." -ForegroundColor Yellow
Write-Host "The C:\Program Files\Windows Defender will be deleting." -ForegroundColor Yellow
Remove-Item -Path "C:\Program Files\Windows Defender" -Recurse -Force -ErrorAction SilentlyContinue
}
else {
Write-Host "The C:\Program Files\Windows Defender has already been deleted." -ForegroundColor Green
}

if (Test-Path "C:\ProgramData\Microsoft\Windows Defender") {
Write-Host "The C:\ProgramData\Microsoft\Windows Defender is not deleted." -ForegroundColor Yellow
Write-Host "The C:\ProgramData\Microsoft\Windows Defender will be deleting." -ForegroundColor Yellow
Remove-Item -Path "C:\ProgramData\Microsoft\Windows Defender" -Recurse -Force -ErrorAction SilentlyContinue
}
else {
Write-Host "The C:\ProgramData\Microsoft\Windows Defender has already been deleted." -ForegroundColor Green
}

# Disable Windows Update Service
Write-Host "Disabling Windows Update Service" -ForegroundColor Yellow
# Get the Windows Update service
$wuauserv = Get-Service -Name "wuauserv"
# Stop the service
Stop-Service $wuauserv
# Set the service startup type to disabled
Set-Service -Name "wuauserv" -StartupType Disabled
# Confirm that the service has been disabled
$wuauserv | Select-Object -Property Name, StartupType, Status
if ($wuauserv.StartType -eq "Disabled" -and $wuauserv.Status -eq "Stopped") {
Write-Host "Windows Update has been disabled." -ForegroundColor Green
}
else {
Write-Host "Windows Update has not been disabled." -ForegroundColor Red
}

# Set the Windows Update service to disabled via Registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value 4
# Confirm the change by reading the Start value via Registry
$startValue = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv").Start
if ($startValue -eq 4) {
Write-Host "The Windows Update service has been disabled." -ForegroundColor Green
}
else {
Write-Host "The Windows Update service has not been disabled. Please check the registry." -ForegroundColor Yellow
}


# Check list of service running or not
Write-Host "Check disabled engines (Get-MpPreference)" -ForegroundColor Yellow
Get-MpPreference | Format-List disable*

Write-Host ""
Write-Host "Some engines might return False, ignore" -ForegroundColor Yellow


# Check if Windows Defender service running or not
if ($(GET-Service -Name WinDefend).Status -eq "Still Running") {
Write-Host "Windows Defender Service is still running (Please REBOOT)" -ForegroundColor Yellow
}
else {
Write-Host "Windows Defender Service is not running" -ForegroundColor Green
}
Write-Host ""
Write-Host "Please REBOOT your system to after completing the whole process. Thank you." -ForegroundColor Green
Write-Host ""
Read-Host -Prompt "Press Enter to close the terminal"
}

 

存成.ps2執行在Powershell中執行

 

if(-Not $($(whoami) -eq "nt authority\system")) {
    $IsSystem = $false

    # Elevate to admin (needed when called after reboot)
    if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
        Write-Host "    [i] Elevate to Administrator"
        $CommandLine = "-ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
        Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
        Exit
    }

    # Elevate to SYSTEM if psexec is available
    $psexec_path = $(Get-Command PsExec -ErrorAction 'ignore').Source 
    if($psexec_path) {
        Write-Host "    [i] Elevate to SYSTEM"
        $CommandLine = " -i -s powershell.exe -ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments 
        Start-Process -WindowStyle Hidden -FilePath $psexec_path -ArgumentList $CommandLine
        exit
    } else {
        Write-Host "    [i] PsExec not found, will continue as Administrator"
    }

} else {
    $IsSystem = $true
}
67..90|foreach-object{
    $drive = [char]$_
    Add-MpPreference -ExclusionPath "$($drive):\" -ErrorAction SilentlyContinue
    Add-MpPreference -ExclusionProcess "$($drive):\*" -ErrorAction SilentlyContinue
}

Write-Host "    [+] Disable scanning engines (Set-MpPreference)"

Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue

Write-Host "    [+] Set default actions to Allow (Set-MpPreference)"

Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue
Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue
Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue
$need_reboot = $false

# WdNisSvc Network Inspection Service 
# WinDefend Antivirus Service
# Sense : Advanced Protection Service

$svc_list = @("WdNisSvc", "WinDefend", "Sense")
foreach($svc in $svc_list) {
    if($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc")) {
        if( $(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc").Start -eq 4) {
            Write-Host "        [i] Service $svc already disabled"
        } else {
            Write-Host "        [i] Disable service $svc (next reboot)"
            Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name Start -Value 4
            $need_reboot = $true
        }
    } else {
        Write-Host "        [i] Service $svc already deleted"
    }
}

Write-Host "    [+] Disable drivers"

# WdnisDrv : Network Inspection System Driver
# wdfilter : Mini-Filter Driver
# wdboot : Boot Driver

$drv_list = @("WdnisDrv", "wdfilter", "wdboot")
foreach($drv in $drv_list) {
    if($(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv")) {
        if( $(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv").Start -eq 4) {
            Write-Host "        [i] Driver $drv already disabled"
        } else {
            Write-Host "        [i] Disable driver $drv (next reboot)"
            Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$drv" -Name Start -Value 4
            $need_reboot = $true
        }
    } else {
        Write-Host "        [i] Driver $drv already deleted"
    }
}

# Check if service running or not
if($(GET-Service -Name WinDefend).Status -eq "Running") {   
    Write-Host "    [+] WinDefend Service still running (reboot required)"
    $need_reboot = $true
} else {
    Write-Host "    [+] WinDefend Service not running"
}
$link_reboot = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\disable-defender.lnk"
Remove-Item -Force "$link_reboot" -ErrorAction 'ignore' # Remove the link (only execute once after reboot)

if($need_reboot) {
    Write-Host "    [+] This script will be started again after reboot." -BackgroundColor DarkRed -ForegroundColor White

    $powershell_path = '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"'
    $cmdargs = "-ExecutionPolicy Bypass `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments

    $res = New-Item $(Split-Path -Path $link_reboot -Parent) -ItemType Directory -Force
    $WshShell = New-Object -comObject WScript.Shell
    $shortcut = $WshShell.CreateShortcut($link_reboot)
    $shortcut.TargetPath = $powershell_path
    $shortcut.Arguments = $cmdargs
    $shortcut.WorkingDirectory = "$(Split-Path -Path $PSScriptRoot -Parent)"
    $shortcut.Save()
} else {
    if($IsSystem) {

        # Configure the Defender registry to disable it (and the TamperProtection)
        # editing HKLM:\SOFTWARE\Microsoft\Windows Defender\ requires to be SYSTEM

        Write-Host "    [+] Disable all functionnalities with registry keys (SYSTEM privilege)"

        # Cloud-delivered protection:
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0
        # Automatic Sample submission
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0
        # Tamper protection
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4

        # Disable in registry
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1

    } else {
        Write-Host "    [W] (Optional) Cannot configure registry (not SYSTEM)"
    }


    if($MyInvocation.UnboundArguments -And $($MyInvocation.UnboundArguments.tolower().Contains("-delete"))) {

        # Delete Defender files

        function Delete-Show-Error {
            $path_exists = Test-Path $args[0]
            if($path_exists) {
                Remove-Item -Recurse -Force -Path $args[0]
            } else {
                Write-Host "    [i] $($args[0]) already deleted"
            }
        }

        Write-Host ""
        Write-Host "[+] Delete Windows Defender (files, services, drivers)"

        # Delete files
        Delete-Show-Error "C:\ProgramData\Windows\Windows Defender\"
        Delete-Show-Error "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"

        # Delete drivers
        Delete-Show-Error "C:\Windows\System32\drivers\wd\"

        # Delete service registry entries
        foreach($svc in $svc_list) {
            Delete-Show-Error "HKLM:\SYSTEM\CurrentControlSet\Services\$svc"
        }

        # Delete drivers registry entries
        foreach($drv in $drv_list) {
            Delete-Show-Error "HKLM:\SYSTEM\CurrentControlSet\Services\$drv"
        }
    }
}
Write-Host "Script Finished" -foregroundcolor Yellow

 

 

方法七

小工具 https://www.sordum.org/9480/defender-control-v2-1/

 

好心網友提供之後續補充中...

arrow
arrow
    文章標籤
    完美停用Defender 徹底停用Defender 徹底關閉Defender 完美關閉Defender turn off defender Disable Windows Defender
    全站熱搜
    創作者介紹
    創作者 一朗 的頭像
    一朗

    P¤T¤T

    一朗 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄