As we mentioned in previous publication η Microsoft has removed the ability to disable Microsoft Defender from the Windows 10 Registry.
Since Windows Vista, users could completely disable Microsoft Defender and potentially any other security software by using “Turn off Microsoft Defender Antivirus” in its settings group policy.
When the policy is enabled, a price registry key “DisableAntiSpyware” and set to 1 under the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, as shown below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows Defender] "DisableAntiSpyware" = dword: 00000001
Once enabled, this key will disable "Microsoft Defender Antivirus and third-party antivirus software and applications."
At documentation of DisableAntiSpyware, Microsoft states that the DisableAntiSpyware value will be ignored and will not usesnow for disabling anti-virus software.
Microsoft also states that if a user removes the installed antivirus solution, Windows Defender will automatically activate to protect him / her.
"Consumers may choose to run another AV solution, but if for any reason the application is disabled, Microsoft Defender AV will be reactivated to ensure that there is no user protection gap. ”
Why
Just as Windows administrators know about group policy settings in DisableAntiSpyware, so do malware developers.
Many malicious programs (TrickBot, Novter, Clop Ransomware, Ragnarok Ransomware, and AVCrypt Ransomware) have abused this policy to try to disable antivirus protection on Windows.
With the release of Windows 10 1903, Microsoft added a new feature called Tamper protection which prevents Windows Security and Microsoft Defender settings from being changed by programs, tools lineς orders of Windows, registry changes, or group policy changes.
Έτσι αν ένα κακόβουλο λογισμικό πρόσθετε την τιμή DisableAntiSpyware στο Μητρώο και έπειτα πραγματοποιούσε επανεκmovement στον υπολογιστή, κατά την επανεκκίνηση, το Tamper protected will remove the value.
So now that Microsoft Defender is completely ignoring the value of DisableAntiSpyware, Windows 10 users have much greater protection against threats trying to disable security software using this technique.
