Why is Windows 10 still blocking me from running malware?

[jcrosby10]

I am analyzing some malware on Windows 10. I installed FLARE VM, disabled tamper protection and disabled the virus scanner in the registry. However when I attempt to run a malware, Windows is still preventing me from running it. What am I missing to get this to work?

I disabled it by adding DisableAntiSpyware to HKLM/Software/Policies/Microsoft/Windows Defender and setting it to 1.

[mr-tz]

Unfortunately for us, this is hard to properly disable in newer Windows versions. We share our current best experience in the installation section https://github.com/mandiant/flare-vm#installation. However, this may take several attempts and reboots (it's good to test with the EICAR test virus). I've had the best results with the GPO modifications.

[keks411]

What worked for me several times is the following workflow:

1. Install Windows up to 21H2 (anything newer will result in malware still getting blocked, tried with mimikatz)
2. Run the script "Privacy over security > Disable Windows Defender" from https://privacy.sexy
3. Reboot and then upgrade to 22H2
4. Disable updates
5. Install flare

[chupocro]

Defender Control by Sordum Team can disable the Defender even on latest Windows 10 22H2. But the problem is #461

[R3P41RM4N]

The following walks you through disabling defender permanently for Windows 10.

Quick Steps:

Open Regedit (as user) -->go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

Right click and add a DWORD (32 bit) Value - name it "DisableAntiSpyware"

Right click new entry select modify; change hexidecimal from 0 to 1. Close regedit

Defender is permanently disabled.

Video Walkthrough below; Found on YouTube. This is not my video and all credit goes to the author. I have successfully integrated this process into the Windows 10 ISO provided by this repo

https://www.youtube.com/watch?v=KhzSBwhqX_w&t=85s

[legit4n6]

I'm not sure if this has been documented anywhere here yet (I did not see it).

I recently ran into this issue myself and was looking for a solution too. I did find one.

Note: Once this is configured this way, it cannot be undone because you will lose permission to modify the directory permissions

I found that disabling Windows Defender by adjusting the owner of the %programdata%\Microsoft\Windows Defender directory helped me with any prior issues I had with Defender still being enabled.

I found this tip from @OALabs on YouTube here: https://youtu.be/0eR8yrDLV5M?si=PgD8DhsbF6H6QN2O&t=675

Written instructions:

1. Take a snapshot of your VM in case you need to revert back - Note again: this cannot be undone except by reverting to a pervious snapshot
2. Open System Configuration on your VM (prior to FlareVM install most likely) - msconfig
3. Navigate to the Boot tab
4. Enable Safe Boot
5. Click Apply + OK, and restart your system
6. Boot into Safe Mode
7. Open File explorer
8. Navigate to %programdata%\Microsoft
9. Locate the Windows Defender directory
10. Right-click on the directory, and select Properties
11. Navigate to the Security tab
12. Click Advanced at the bottom of the Security tab
13. By Owner click Change
14. Then click Advanced
15. Then click Find Now
16. Locate the Name Administrator, click OK
17. Ensure you click Replace all child object permission entries with inheritable permission entries from this object at the bottom first
18. Then, in the Permissions section, remove all the accounts. This ensures the SYSTEM and Administrators cannot access the Windows Defender Directory which effectively disables Defender
19. Click OK on all the popups... I had some permissions errors but they can just be ignored it seems
20. Open up msconfig, Boot tab again, disable Safe boot, and restart the system.
21. Defender should be permanently disabled
22. Take another snapshot of your VM in case you need to revert back

Note: I tried this on a Windows 11 and 10 VM. It works on both, but installing FlareVM on Win11 with the current version of the script has a lot of bugs.

Hope this helps!