禁止defender自动更新
原创禁止defender自动更新
原创
Windows技术交流
修改于 2023-06-14 13:55:08
修改于 2023-06-14 13:55:08
代码可运行
运行总次数:0
代码可运行
一般是不建议禁止defender自动更新的,但如果你有其他替代的安全方案了,觉得defender自动更新有隐患,想干掉,那这篇文档非常适用。耗费了不少心血在server2016-2022和win10、win11上对比实践。
详细阅读了微软官网资料,了解到defender的更新渠道比较多,大致总结为这几类:
【管理 Microsoft Defender 防病毒软件保护更新源】中英文文档
1、Windows Update
2、自建Windows Update Server
3、组策略
4、Microsoft Endpoint Configuration Manager
5、人为触发(包括使用共享文件来更新、使用defender命令行工具MpCmdRun.exe、使用PowerShell cmdlet等)
6、特殊事件触发【管理基于事件的强制更新】中英文文档
我们业务系统是Server2016/2019/2022,defender没有特殊配置,遵从默认配置,想在默认配置的基础上在不卸载defender的前提下,尽可能全面彻底地关闭defender自动更新,
也理解微软defender的产品初衷就是保护系统,保护系统的前提是保护defender自身,所以才有defender的防篡改机制(tamper protection),
目前我们想尽可能全面规避defender多个渠道可能引发的自动更新,不限于我上面列的那6种,我查到的资料是那些,但微软产品博大精深,恐挂一漏万,
如做不到所有可能性,至少也要把能规避的都规避掉,希望微软能给出更全面的命令,比如有没有从Windows Update中剔除defender更新包的命令(据我所知,有从Windows Update剔除显卡驱动自动更新的命令)?
或者说你上个邮件提的方案我翻译成命令是这几句:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f我上面列的6条,2、4、5可忽略,着重规避1、3、6里的默认配置,使defender不能自动更新,需要重新评估下,这3条命令能切实规避吗?
关于DisableAntiSpyware,在Server系统上,可以执行这句命令来关闭defender,微软官网文档有写,只适用server系统,不适用pc系统
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
defender的更新渠道太多,跟微软多次确认,如下办法可以禁止defender自动更新
Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration\' -Name PreventPlatformUpdate -Value 1 -Force
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates' -Force
Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\' -Name ScheduleDay -Value 8 -Force
Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\' -Name FallbackOrder -Value 'FileShares' –Type 'String' -Force
Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\' -Name ForceUpdateFromMU -Value 0 -Force
Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\' -Name DisableAntiSpyware -Value 1 -Force或
powershell.exe -Command "Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration\' -Name PreventPlatformUpdate -Value 1 -Force"
powershell.exe -Command "New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates' -Force"
powershell.exe -Command "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\' -Name ScheduleDay -Value 8 -Force"
powershell.exe -Command "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\' -Name FallbackOrder -Value 'FileShares' –Type 'String' -Force"
powershell.exe -Command "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\' -Name ForceUpdateFromMU -Value 0 -Force"
powershell.exe -Command "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\' -Name DisableAntiSpyware -Value 1 -Force"或
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f我实际测试,以上方案对Server系统OK的,对PC系统如果不起作用,试试下面的powershell(如果报错,提权执行)
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Force 2>&1 >$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan" /v "ScheduleQuickScanTime" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleQuickScanTime" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "DefinitionUpdateFileSharesSources" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DefinitionUpdateFileSharesSources" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>$null
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /va /f 2>&1 >$null
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
Get-ItemProperty -Path $registryPath | Remove-ItemProperty -Name * -ErrorAction SilentlyContinue
Get-ChildItem -Path $registryPath | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue
reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /d 0 /t REG_DWORD /f
#Restart-Service WinDefend -Force -ErrorAction SilentlyContinue
#Restart-Service WdNisSvc -Force -ErrorAction SilentlyContinue
Start-Service WinDefend -ErrorAction SilentlyContinue
Start-Service WdNisSvc -ErrorAction SilentlyContinue
Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
Set-MpPreference -DisableIOAVProtection $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
Set-MpPreference -DisableArchiveScanning $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /d 1 /t REG_DWORD /f
Set-MpPreference -MAPSReporting 0 -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /d 0 /t REG_DWORD /f
Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /d 2 /t REG_DWORD /f
Set-MpPreference -EnableControlledFolderAccess Disabled -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /d 0 /t REG_DWORD /f
Set-MpPreference -PUAProtection Disabled -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /d 0 /t REG_DWORD /f
Set-MpPreference -SignatureFallbackOrder FileShares -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f
Set-MpPreference -SignatureScheduleDay Never -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
Set-MpPreference -SharedSignaturesPath c:\dummyPath -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SharedSignatureRoot" /d "c:\dummyPath" /t REG_SZ /f
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\\unc1 | \\unc2" -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DefinitionUpdateFileSharesSources" /d "\\unc1 | \\unc2" /t REG_SZ /f
Set-MpPreference -CheckForSignaturesBeforeRunningScan $false -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /d 0 /t REG_DWORD /f
Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "LocalSettingOverrideDisableRealtimeMonitoring" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /d 0 /t REG_DWORD /f
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f
Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -ModerateThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -LowThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -SevereThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /d 1 /t REG_DWORD /f
#reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f # (是否执行这句看业务需求,如果只是单纯不想defender自动更新,这句可以不执行)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d 1 /f
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Data Integrity Scan\","\Microsoft\Windows\ApplicationData\","\Microsoft\Windows\Defrag\","\Microsoft\Windows\DiskCleanup\","\Microsoft\Windows\DiskDiagnostic\","\Microsoft\Windows\DiskFootprint\","\Microsoft\Windows\Windows Defender\","\Microsoft\Windows\Maintenance\" 2>$null | Disable-ScheduledTask 2>$null
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
腾讯云开发者
