I attempted to disable real-time monitoring of Windows Defender by running the command "Set-MpPreference -DisableRealtimeMonitoring $true"
in PowerShell as an administrator, but I still couldn’t execute the script “Get-TSLsaSecret.” When I tried to run it, I received the error message: “This script contains malicious content and has been blocked by your antivirus software.”
I was able to successfully run the script after manually turning off Windows Defender’s real-time protection in Windows Settings, but it is unclear why the command did not work as intended.
3 Answers
Introduction
Windows Defender is a built-in antivirus software that comes with Windows 10. It is designed to protect your computer from malware, viruses, and other security threats. Windows Defender provides real-time protection, which means that it continuously monitors your computer for any suspicious activity and takes action if necessary. However, there may be situations where you need to disable Windows Defender’s real-time monitoring, such as when you want to run a script or install a program that is being blocked by the antivirus software. In this blog post, we will discuss how to disable real-time monitoring of Windows Defender.
Method 1: Using PowerShell
One way to disable real-time monitoring of Windows Defender is to use PowerShell. Here are the steps to follow:
1. Open PowerShell as an administrator. You can do this by right-clicking on the Windows Start menu and selecting “Windows PowerShell (Admin).”
2. Type the following command: Set-MpPreference -DisableRealtimeMonitoring $true
3. Press Enter to run the command.
4. Once the command has been executed, Windows Defender’s real-time monitoring will be disabled.
However, there may be situations where this method does not work as intended. For example, you may encounter an error message when trying to run a script that is being blocked by Windows Defender. In such cases, you may need to try the next method.
Method 2: Turning off Real-Time Protection in Windows Settings
Another way to disable real-time monitoring of Windows Defender is to turn off real-time protection in Windows Settings. Here are the steps to follow:
1. Click on the Windows Start menu and select “Settings.”
2. Click on “Update & Security.”
3. Click on “Windows Security” in the left-hand menu.
4. Click on “Virus & threat protection.”
5. Click on “Manage settings” under “Virus & threat protection settings.”
6. Toggle the switch for “Real-time protection” to the off position.
7. Once real-time protection has been turned off, you can run the script or install the program that was being blocked by Windows Defender.
It is important to note that turning off real-time protection may leave your computer vulnerable to security threats. Therefore, it is recommended that you turn real-time protection back on once you have completed the task that required it to be turned off.
Method 3: Disabling Windows Defender using Group Policy
If you want to disable Windows Defender permanently, you can do so using Group Policy. Here are the steps to follow:
1. Press the Windows key + R to open the Run dialog box.
2. Type “gpedit.msc” and press Enter to open the Local Group Policy Editor.
3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus.
4. Double-click on “Turn off Windows Defender Antivirus.”
5. Select the “Enabled” option.
6. Click on “Apply” and then “OK.”
7. Once this policy is enabled, Windows Defender will be disabled permanently.
It is important to note that disabling Windows Defender permanently may leave your computer vulnerable to security threats. Therefore, it is recommended that you use this method only if you have another antivirus software installed on your computer.
Method 4: Disabling Windows Defender using the Registry Editor
Another way to disable Windows Defender permanently is to use the Registry Editor. Here are the steps to follow:
1. Press the Windows key + R to open the Run dialog box.
2. Type “regedit” and press Enter to open the Registry Editor.
3. Navigate to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender.
4. Right-click on the Windows Defender folder and select “New” > “DWORD (32-bit) Value.”
5. Name the new value “DisableAntiSpyware.”
6. Double-click on the new value and set the value data to “1.”
7. Click on “OK.”
8. Once this value has been set to “1,” Windows Defender will be disabled permanently.
It is important to note that disabling Windows Defender permanently may leave your computer vulnerable to security threats. Therefore, it is recommended that you use this method only if you have another antivirus software installed on your computer.
Method 5: Disabling Windows Defender using a Third-Party Tool
There are several third-party tools available that can disable Windows Defender. These tools are designed to make it easy for users to turn off Windows Defender without having to go through the steps outlined in the previous methods. However, it is important to be cautious when using third-party tools, as some of them may contain malware or other security threats.
If you decide to use a third-party tool to disable Windows Defender, make sure to download it from a reputable source and scan it for viruses before running it on your computer.
Conclusion
In this blog post, we discussed how to disable real-time monitoring of Windows Defender. We outlined five different methods that you can use to turn off Windows Defender, depending on your needs. However, it is important to note that disabling Windows Defender may leave your computer vulnerable to security threats. Therefore, it is recommended that you use these methods only if you have another antivirus software installed on your computer.
It is possible that the command “Set-MpPreference -DisableRealtimeMonitoring $true
” is not working as intended because Windows Defender may have been configured to ignore it. The error message you received about the script containing malicious content suggests that Windows Defender is still actively monitoring and blocking potentially harmful scripts.
To disable real-time monitoring in Windows Defender, you can go to the Windows Security settings in the Windows Settings app, and toggle off the “Real-time protection” option. This should allow you to run the script without any issues.
Here are a few additional tips for disabling real-time monitoring in Windows Defender:
- You can also disable real-time protection by disabling the Windows Defender Antivirus service. Go to the Services app (search for it in the Start menu) and look for the “Windows Defender Antivirus Service” and stop the service.
- If you want to disable real-time protection for a specific period of time, you can use the “Windows Security” app to turn it off temporarily. This can be useful if you need to run a program or script that Windows Defender would normally block.
- If you don’t want to disable real-time monitoring completely, you can add an exclusion for the specific script or program that you are trying to run. This will allow the script or program to run without being blocked by Windows Defender.
- You can also consider using third-party antivirus software that allows you to disable the real-time protection or configure the exclusions.
- Remember to turn on the real-time protection after you are done with the task that need to disable it.
Please note that disabling real-time protection can make your computer more vulnerable to malware and other security threats, so make sure to only do it when you are sure that you need to run a specific script or program.
Windows Defender blocks the script “Get-TSLsaSecret
” because it accesses a sensitive area of Windows known as LSA secrets. These LSA Private Data are stored in the registry key “HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
” and contain sensitive information such as passwords for system services and user account information.
Because this information is vulnerable to hacking, access to this key is strictly controlled and even administrators cannot access it. See for a forensic treatment the article of
Use PowerShell to Decrypt LSA Secrets from the Registry.
Windows Defender will protect against any attempts to access this key and may even delete scripts that attempt to hack the LSA. As a result, in order to use this script, it is necessary to deactivate Windows Defender. If Windows Defender is reactivated, the script may be quarantined and will need to be restored.