When the policy is enabled, a "DisableAntiSpyware" registry value is created and set to 1 under the key HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \Microsoft\ Windows Defender, as shown below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001
Once activated this key will deactivate “Microsoft Defender Antivirus, as well as third-party antivirus software and applications.
OR Microsoft It also states that if a user removes the installed antivirus solution, Windows Defender will automatically activate to protect them.
"Consumers can choose to run another AV solution, but for whatever reason the app is disabled, the Microsoft Defender AV will be reactivated to ensure that there is no protection gap for the user. ”
Just as Windows administrators know about group policy settings in DisableAntiSpyware, so do malware developers.
Many malicious programs (TrickBot, Novter, Clop Ransomware, Ragnarok Ransomware, and AVCrypt Ransomware) have abused this policy to try to disable antivirus protection on Windows.
With its release Windows 10 1903, h Microsoft added a new feature called Tamper Protection which prevents Windows Security and Windows Security settings from being changed Microsoft Defender programs, Windows command line tools, registry changes, or group policy changes.
So if malware added the DisableAntiSpyware value to the Registry and then restarted the computer, on reboot, Tamper Protection will deduct the value.
So, now, the Microsoft Defender completely ignores the value of DisableAntiSpyware, its users Windows 10 have much greater protection against threats that try to disable security software using this technique.