Bypass Record
Disable or Modify Tools × Microsoft Defender Antivirus
A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.
Reported as
permanently disables Microsoft Defender by gaining TrustedInstaller privileges, stopping services, disabling tamper protection, and modifying registry and WMI settings
Mechanism
The tool escalates to TrustedInstaller privileges, then disables Windows Defender services (including SmartScreen), turns off anti-tamper protection, manipulates the WdFilter driver to leave its filter off, sets services to disabled (start type 4), and modifies relevant registry keys and WMI settings. It also deletes Defender program files (reversible not implemented). This defeats Microsoft Defender's real-time protection, tamper protection, and filter driver.
Detection & mitigation
Monitor for unexpected changes to Windows Defender services (e.g., WinDefend, WdNisSvc) and registry keys (e.g., HKLM\SOFTWARE\Policies\Microsoft\Windows Defender) using Sysmon Event ID 13 (Registry SetValue) and Event ID 7045 (Service Install/Change). Enforce tamper protection via Microsoft Defender and restrict TrustedInstaller privilege escalation through application control policies.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.