As we mentioned in previous publication Microsoft has removed the ability to disable Microsoft Defender from the Windows 10 Registry.
From Windows Vista, users could completely disable Microsoft Defender and possibly any other security software by using the "Turn off Microsoft Defender Antivirus" in the group policy settings.
When the policy is enabled, a “DisableAntiSpyware” registry value is created and set to 1 under the HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows Defender key, as shown below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows Defender] "DisableAntiSpyware" = dword: 00000001
Once enabled, this key will disable "Microsoft Defender Antivirus and third-party antivirus software and applications."
At documentation of DisableAntiSpyware, Microsoft states that the DisableAntiSpyware value will be ignored and will no longer be used to disable antivirus software.
Microsoft also states that if a user removes the installed antivirus solution, Windows Defender will automatically activate to protect him / her.
"Consumers may choose to run another AV solution, but if for any reason the application is disabled, Microsoft Defender AV will be reactivated to ensure that there is no user protection gap. ”
Why
Just as Windows administrators know about group policy settings in DisableAntiSpyware, so do malware developers.
Many malicious proletterτα (TrickBot, Novter, Clop Ransomware, Ragnarok Ransomware and AVCrypt Ransomware) that have abused this policy to try to disable Windows virus protection.
With the release of Windows 10 1903, Microsoft added a new feature called Tamper protection that prevents Windows Security and Microsoft Defender settings from being changed by programs, Windows command line tools, registry changes, or group policy changes.
So if malware added the DisableAntiSpyware value to the Registry and then rebooted the computer, on reboot, Tamper Protection will remove the value.
So since Microsoft Defender now completely ignores the DisableAntiSpyware value, Windows 10 users are much more protected against threats that try to disable security software using this technique.