New
#310
I was struggling with disabling defender so for the prosperity I will write my findings and solution.
The goal was to disable Defender using group policy (gpedit) so no third party software (with do works) and this was on Windows 20H2.
There is a bug in, apparently, gpedit (or somewhere else) that prevent gpedit settings to stick:
Win 20H2 build 19042.964 - when using gpedit to disable Defender after applying settings or restarting PC settings will revert back to "Not configured" in gpedit and Defender will still works. To work this around do fallowing:
- disable via gpedit, click OK
- restart PC
repeat this until Windows Defender no longer auto start (in my case I had to do this 3-4 times).
Credit: Cannot disable Microsoft Defender Antivirus via group policy on 20H2 : Windows10TechSupport
Windows 20H2 build 19042.985 - works fine, no trickery needed, gpedit disables Windows Defender (this update was offered, to me at least, today while struggle with version 19042.964 encountered yesterday).
Whenever Defender thinks (in a copy or move operation) a file is evil it deletes it silently.
This is an absolute no-go.
Defender should at least prompt the user.
Moreover the necessary tricks to disable it is annoying
Defender sucks.
I might post my own mini tutorial somewhere later, but there is still a lot of control over defender, and fully disabling it I have discovered is kind of like using a sledgehammer to kill a fly.
e.g. you can toggle a real time flag in group policy, that is effectively the same as disabling it in terms of performance and its inteventions on the OS, you can also disable it in the security applet, and add a task that auto disables it whenever it turns itself back on (I posted here the task).
In addition you can disable individual parts of defender such as the behaviour analysis, the real time file monitoring (this one probably stops your deleted files) as well as the network intervention. None of this stuff is affected by the tamper protection.
You can go to the security applet, and reverse previous actions, usually defender will move a file to quarantine rather then full on delete it, given the amount of operator errors that occur on security prompts I have personally come round to microsoft's way of thinking.
There is also control provided for process exclusions, folder exclusions etc. So the reality is defender offers close to level of control you get in 3rd party solutions, the difference been this control is not so visible to access, alot of it is in group policies.
I don't think you can configure such a thing. This is why I tried for a moment NOD32 and turned back to Microsoft Antivirus. Basically you have to wait to put a file into quarantine and then go to Settings and choose "Allow on device". I don't think there's any way to just warn you and don't delete. Somebody please shed some light on the matter.
You could add exclusions to Microsoft Defender if wanted.
Add or Remove Microsoft Defender Antivirus Exclusions in Windows 10
Ok, But as far as I can see specifying an exclusion for e.g. whole partition D:\ mean that none of the files are scanned.
Thats bad.
I want to let Defender scan each file excatly ONCE. If Defender thinks its evil a popup should appear asking me for action.
This popup dialog should contain a button similar to "exclude (only) this file from further scan".
AND - as already said - the file should NOT be deleted if user click on exclude.
So is there something like an exclude on first detection?