From f10206c8aae0c904310c0f690cf12409acb339c8 Mon Sep 17 00:00:00 2001 From: qtkite Date: Mon, 7 Jun 2021 05:21:28 +1000 Subject: [PATCH] tamper protection subheading --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 6d3d97d..ae4c16b 100644 --- a/README.md +++ b/README.md @@ -319,6 +319,8 @@ lpValueName: DisableRealtimeMonitoring To enable the AV, we just do the opposite of what we needed to disable the AV. +## Windows Tamper Protection + But theres, a catch. In a newer recent windows update - you can no longer disable the defender via registries. Well, our program runs completely in usermode, so there must be another way its making these registry changes - most likely through the powershell command Set-MpPreference if we do some research into changing the registry. So we will need to take a peek into the wmic api it accesses. Luckily for us, all this stuff is documented. Check out these two links: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps