Thursday, June 4, 2015

anti virus - Windows Defender: Disable real time; keep scheduled and on demand scanning


I just upgraded to Win 10 (RTM build). I have disabled the built in AV's (Defender) real time protection because I do not run it, never did and have never gotten a virus (and I've had a computer for 30 years).


I was able to disable real time scans by turning on the Group Policy's Disable Defender Policy. But this disables the application entirely. Is it possible to use this profile (which I used with Win 7's Security Essentials) with Win10 Defender:



  • Real time scan off

  • Scheduled scans (2AM) active

  • On demand (shell integration right
    click) scans active


?


Or do I have to install a 3rd party scanner? I already run MBAM Premium, MBAE and EMET (those are protecting in real time, as their impact on performance is minimum), but I would really like to avoid a 3rd party AV.


TIA


Answer



The "Turn off real-time protection" Group Policy setting, located under Computer Configuration\Administrative Templates\Windows Components\Windows Defender should do what you want.


In my system, however, the Antimalware Service Executable keeps spawning (and instantly closes) every 10 seconds or so when this policy is enabled. Very annoying, but still nothing compared to the more general system slow-down caused by scanning every file on your drive over and over again.


Keep an eye out for this related question of mine: How to disable signature-based detection without turning off other protections in Windows Defender. Something of interest might come out.




[Update] Using the above method will result in a log file growing constantly, located in C:\ProgramData\Microsoft\Windows Defender\Support, called MPLog-.log.
There's a way to prevent this from happening. Just set the following policies to Disabled, instead of the one I first mentioned i.e. leave that untouched:



  • Monitor file and program activity on your computer

  • Scan all downloaded files and attachments

  • Turn on behavior monitoring

  • Turn on network protection against exploits of known vulnerabilities *

  • Turn on raw volume write notifications *

  • Turn on Information Protection Control *


I'd advise against disabling the last 3 items (marked with an *), however. Their impact on performance is also minimum.


These policy settings can be found in the same location as the first one: Computer Configuration\Administrative Templates\Windows Components\Windows Defender.
Note: Some versions of Windows use the term "Endpoint Protection" instead of "Windows Defender".




If your edition of Windows does not come with the Group Policy Editor, setting some registry entries will do the trick. They are all located under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Real-Time Protection (create this key if it does not exist). Create the following DWORD (32-bit) entries and set them to 1:



  • DisableOnAccessProtection

  • DisableIOAVProtection

  • DisableBehaviorMonitoring

  • DisableIntrusionPreventionSystem *

  • DisableRawWriteNotification *

  • DisableInformationProtectionControl *


Again I recommend against disabling the last 3 items. Leave them as 0, or better yet, do not create entries for them.


A system restart is required after making these changes.


Just for completeness, the Registry entry for the "Turn off real-time protection" policy is called DisableRealtimeMonitoring.




[Update 2] An addendum: Malwarebytes Anti-Exploit (MBAE) is generally incompatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET). It even says so when installing it on an EMET-protected system. To see for yourself, download mbae-test.exe from here, add it to the list of EMET-protected apps, and try loading it with MBAE enabled.
(However, if you only use EMET to enforce system-wide rules - i.e. DEP and SEHOP - that's fine. It's only when launching an application protected by both solutions that you should expect trouble.)


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...