1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Simple Methods to Spot Disabled Antivirus (Windows Defender) on Windows Systems

Simple Methods to Spot Disabled Antivirus (Windows Defender) on Windows Systems

- Posted in Incident Response by - Permalink
Simple Methods to Spot Disabled Antivirus (Windows Defender) on Windows Systems

Background:

During incident response, it’s not always the case that advanced, highly sophisticated AV bypass techniques are used. Sometimes, attackers rely on simple, out-of-the-box methods to evade detection, such as excluding their tools using legitimate features or disabling your antivirus through readily available means. In this example, we will focus specifically on Microsoft Defender.

Methods of detection:

One method is to disable antivirus through policy settings, which results in Windows generating a trace in C:\Windows\System32\GroupPolicy\Machine\Registry.pol enter image description here Monitoring these files is extremely important for forensic investigations.

Another method is to monitor changes that occur when interacting (Disabling defender) with Microsoft Defender via PowerShell. During this interaction, services.exe targets the registry key HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv\Start. The WdNisDrv record is responsible for Windows Defender.

enter image description here

Another method used by attackers is to add their malicious files or folders to the exclusion list using the Windows Defender user interface (UI). These interactions are easily detectable in the event logs, as any scenario involving exclusions will result in the system interacting with the HKLM\Software\Microsoft\Windows Defender\Exclusions registry key. Whether exclusions are added through the UI or manually via the registry, the process ultimately involves this registry path as the final destination. enter image description here enter image description here

In some cases, Windows systems may temporarily exclude certain paths that are not visible in the Defender UI. These exclusions are often used to install Windows Defender updates.

The relevant registry path is HKLM\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths.

enter image description here

Conclusion:

While attackers may sometimes employ advanced techniques to bypass antivirus protection, many rely on simple, easily detectable methods to evade Microsoft Defender. By monitoring group policy changes, PowerShell interactions, registry modifications, and exclusions—both visible and hidden—incident responders can identify signs of tampering or attempted evasion. Vigilant oversight of these straightforward indicators remains essential for effective detection and response.

Tags:

Related posts

« »