❌️ Defender Remover / Defender Disabler
❓️ What does the app do?
This application removes / disables Windows Defender, including the Windows Security App, Windows Virtualization-Based Security (VBS), Windows SmartScreen, Windows Security Services, Windows Web-Threat Service, Windows File Virtualization (UAC), Microsoft Defender App Guard, Microsoft Driver Block List, System Mitigations and the Windows Defender page in the Settings App on Windows 10 or later.
❓️ What components are removing?
Removing Security Components
This script removes/disables following security components:
- support for Windows Security Center including Windows Security Center Service (wscsvc), Windows Security Service (SgrmBroker, Sgrm Drivers) which are needed to run Windows Security App.
- virtualization support.
- Hypervisor startup (this fixes disablation of Virtualization Based Security, this will auto enable if you use Hyper-V and/or WSL (Windows Subsystem for Linux), WSA (Windows Subsystem for Android))
- LUA (disables File Virtualization and User Account Control, which will run all apps as administrator priviliges (also fixes old app errors))
- Exploit Guard (something about Exploits)
- Windows Smart Control
- Tamper Protection (for Windows 11 21H2 or earlier)
- SecHealthUI (Windows Security UWP App)
- SmartScreen
- Pluton Support and Pluton Services Support
- System Mitigations
- "Services Mitigations" (search on admx.help for more informations, its policy)
- Spectre and Meltdown Mitigation (for get +30% performance on old Intel CPUs)
- Windows Security Section from Settings App.
Removing Antivirus Components
This script forcily removes following antivirus components:
- Windows Defender Definition Update List (this will disable updating definitions of Defender because its removed)
- Windows Defender SpyNet Telemetry
- Antivirus Service
- Windows Defender Antivirus filter and windows defender rootkit scanner drivers
- Antivirus Scanning Tasks
- Shell Associations (Context Menu)
- Hides Antivirus Protection section from Windows Security App.
📃 Instructions
Note
A system restore point is recommended before you run the script. (if you don’t know what are you doing)
- Download the packed script from Releases
- Run the «.exe» as administrator
- Follow the instructions displayed
OR
you can use git
git clone https://github.com/ionuttbara/windows-defender-remover.git
cd windows-defender-remover
Script_Run.bat
OR
you can use download entire source code
- Download the source code from Releases.
- Choose the file Source Code(.zip) from last version and download it.
- Unarchive the file into a folder and run the Script_Run.bat.
You can file an issue if you experience any problems.
📃 Automation of the script
You can remove Defender with arguments.
Removing
# Removal Defender.Remover.exe /r <# or /R #>
Disable or Remove Windows Defender Application Guard Policies (advanced)
If you have any problems when opening an app (extremely rare) and get the message «The app can not run because Device Guard» or «Windows Defender Application Guard Blocked this app», you have to remove 4 files with the same name, from different locations.
- In EFI Partition
Remove-Item -LiteralPath "$((Get-Partition | ? IsSystem).AccessPaths[0])Microsoft\Boot\WiSiPolicy.p7b"
- In Code Integrity Folder
Remove-Item -LiteralPath "$env:windir\System32\CodeIntegrity\WiSiPolicy.p7b"
- In Windows Folder
Remove-Item -LiteralPath "$env:windir\Boot\EFI\wisipolicy.p7b"
- In WinSxS Folder
Remove-Item -Path "$env:windir\WinSxS" -Include *winsipolicy.p7b* -Recurse
Creating an ISO with Windows Defender and Services disabled
You can create an ISO with Windoows Defender and Security Services Disabled. It’s easy, so this is a fiie which it can helps you.
Here are the rules:
- Mount the ISO and extract it into location.
- Open the sources folder and create the $OEM$ folder. (this is needed to run the DefenderRemover part in OOBE).
- Open the $OEM$ folder and create the folder with $$ name.
- Open the $$ folder and create the folder with Panther name.
- Open the Panther folder.
The path it shown like to
*%location of extracted ISO%\sources$OEM$$$\Panther* - Download the unnatended.xml file from repo in ISO_Maker folder and put it in Panther folder.
- Save this as bootable ISO. (for now the script can’t do this automaticly, but it will do in next version).
❓ Frequently Asked Questions
⭕ How to remove Windows Security Center / Windows SecurityApp from PC without downloading Script?
Paste this code into a powershell file and after Run as Administrator.
$remove_appx = @("SecHealthUI"); $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers; $eol = @()
$store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore'
$users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store -ea 0 |where {$_ -like '*S-1-5-21*'}).PSChildName)}
foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue}
foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) {
$next = !1; foreach ($no in $skip) {if ($appx.PackageName -like "*$no*") {$next = !0}} ; if ($next) {continue}
$PackageName = $appx.PackageName; $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName
ni "$store\Deprovisioned\$PackageFamilyName" -force >''; $PackageFamilyName
foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageName" -force >''} ; $eol += $PackageName
dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >''
remove-appxprovisionedpackage -packagename $PackageName -online -allusers >''
}
foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) {
$next = !1; foreach ($no in $skip) {if ($appx.PackageFullName -like "*$no*") {$next = !0}} ; if ($next) {continue}
$PackageFullName = $appx.PackageFullName;
ni "$store\Deprovisioned\$appx.PackageFamilyName" -force >''; $PackageFullName
foreach ($sid in $users) {ni "$store\EndOfLife\$sid\$PackageFullName" -force >''} ; $eol += $PackageFullName
dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >''
remove-appxpackage -package $PackageFullName -allusers >''
}
}
⭕ Why is the downloaded executable being flagged as a virus?
That is a false positive.
Some security apps flag this app as a virus because of the way the «.exe» files are created. Download with git or source code .zip will indicate virus-free.
Starting with Defender 12.6.x , some versions are considered as virus, some are not (its a bug from me, so do not file for this).
⭕ Why is the patch not working when Windows is updated?
Windows Update includes a Intelligence Update which blocks certain actions and modifies Windows Defender/Security policies.
If the script is not working for you, check if you have the Windows Security Intelligence Update installed. If you do, disable tamper protection, and re-run the script.
⭕ How to use the package remover without downloading the executable from the release?
Run the desired «.bat» file from cmd with PowerRun (by dragging to the executable). You must reboot for the changes to take effect.
⭕ How to disable VBS if the removal script does not work
Disable with this command and reboot.
bcdedit /set hypervisorlaunchtype off
Defender Control
Open source windows defender disabler.
Now you can disable windows defender permanently!
Tested from Windows 10 20H2.
What is this project?
We all know that disabling windefender is very difficult since microsoft is constantly enforcing changes.
The first solution is to install an anti-virus — but thats not the point if we are trying to disable it!
The next easiest solution is to use freeware thats already available on the internet — but none of them are native & open source…
I like open source, so I made a safe to use open source defender control.
On windows updates / Windows 11
Sometimes windows decides to update and turn itself back on.
A common issue is that defender control sometimes doesn’t want to disable tamper protection again.
Please try turning off tamper protection manually then running disable-defender.exe again before posting an issue.
What does it do?
- It gains TrustedInstaller permissions
- It will disable windefender services + smartscreen
- It will disable anti-tamper protection
- It will disable all relevant registries + wmi settings
Is it safe?
Yes it is safe, feel free to review the code in the repository yourself.
Anti-virus & other programs might flag this as malicious since it disables defender — but feel free to compile it using visual studio.
Compiling
Open the project using visual studio 2022 preview.
Set the build to Release and x64.
Change the build type you want in settings.hpp.
Compile.
Demo
Release
You can find the first release over at the releases on the right.
Or alternatively click here.
Windows 11
Works for earlier versions of Windows 11. Correct registries have not been added yet for the latest version.
Update, Trusted Installer no longer has effect on the current live versions of Windows 11. Use with caution.
Defender Control (DefControl)
📌 Overview
Defender Control is a lightweight and portable tool that allows you to completely disable or re-enable Windows Defender with a single click. This is useful for users who need full control over their system, especially when using third-party security tools or optimizing performance.
🚀 Features
- ✅ Disable Windows Defender with one click
- ✅ Prevents Defender from automatically re-enabling
- ✅ Lightweight and portable (no installation required)
- ✅ Works on Windows 10 & 11
- ✅ Quick and easy to use
🛠️ How to Use
Disable Windows Defender
- Run
DefenderControl.exeas Administrator - Click «Disable Windows Defender»
- ✅ Done! Windows Defender is now turned off.
Re-enable Windows Defender
- Open Defender Control
- Click «Enable Windows Defender»
- 🔄 Windows Defender is now restored.
Check Defender Status
- Green = Enabled
- Red = Disabled
- Orange = Defender is running but partially disabled
❗ Important Notes
- Windows Updates may re-enable Defender—reapply if needed.
- Some security software may conflict with Defender Control.
- This tool only disables Defender and does not remove it.
💡 Disclaimer
This tool is for educational purposes only. Use at your own risk. Disabling Defender may expose your system to security risks.
Способов удалять телеметрию есть много, я обычно просто штатно отключаю при установке то, что дают выключить и не парюсь; в сети есть проекты, вычищающие глубокие хвосты.
С Защитником тоже опробовано много способов борьбы. Защитник с каждой версией становится все более устойчивым к попыткам себя отключить. На старых процессорах Intel (там где программным образом Microsoft пробует устранить уязвимости Intel Spectre и Meltdown) производительность процессора в Windows 11 падает до 30%! Как это безобразие отключить? Никакие методы с сайта Microsoft этого не позволят добиться.
В комментариях тут на Хабре мне писали варианты скриптов, которые у кого-то срабатывают. Но проверив на свежих виртуалках массу решений, большинство из скриптов блокируются Защитником сразу после сохранения файла, остальные не выполняют своей задачи.
По итогам тестирования мной также признаны неработоспособными способы отключения Защитника через ProductPolicy и редактирование MUM файла, описывающего компоненты входящие в издание ОС, так как так или иначе, при перезагрузке или обновлении Защитник возвращается в строй. Встроенные групповые политики (и локальные политики через gpedit.msc) позволяли его отключить в Windows 10, но в Windows 11 встроено значительно больше функций защиты, их нужно отключать более грубо вручную.
Итогом после мозгового штурма на форумах MyDigitalLife я для себя посчитал приемлемым открытое решение ionuttbara/windows-defender-remover (github.com).
Оно есть в исходном коде, если вы желаете посмотреть содержимое, или вы можете загрузить скрипт при помощи Git:
git clone https://github.com/ionuttbara/windows-defender-remover.git
cd windows-defender-remover
Script_Run.bat
Ну а тем, кто далек от разработки предлагается подписанный исполняемый модуль. Встроенный в браузер Edge функционал Defender в зависимости от настроек ОС может предупредить о том, что скачиваемый файл небезопасен:
Но вы все равно сможете его сохранить.
Для небольшого процента систем, где администраторы заранее настроили жесткие политики Windows Defender Application Control вы можете получать сообщение о том, что сохраненное приложение при запуске заблокировано в Device Guard или Application Control. Это можно решить, удалив один и тот же файл в четырех местах (из под администратора в PowerShell:
Remove-Item -LiteralPath «$((Get-Partition | ? IsSystem).AccessPaths[0])Microsoft\Boot\WiSiPolicy.p7b»
Remove-Item -LiteralPath «$env:windir\System32\CodeIntegrity\WiSiPolicy.p7b»
Remove-Item -LiteralPath «$env:windir\Boot\EFI\wisipolicy.p7b»
Remove-Item -Path «$env:windir\WinSxS» -Include *winsipolicy.p7b* -Recurse
В самых редких случаях, когда удаление блокируется Virtualization Based Security (VBS) политиками, придется для начала их отключить командой
bcdedit /set hypervisorlaunchtype off
Когда вы успешно запустите DefenderRemover, вам будет задан вопрос — удалить Защитник со всеми компонентами безопасности (Y), удалить только защитник (A) или только убрать предупреждения (S):
При выборе (А) или (Y) будут отключены и удалены следующие компоненты антивируса:
- список определений (это отключит получение обновлений с Windows Update)
- Телеметрию Windows Defender SpyNet
- Службу антивируса
- Фильтр антивируса и сканер руткит драйверов
- запланированные задания антивируса
- ассоциации меню
- спрячет секцию антивирусной защиты из Центра Безопасности
При выборе (S) или (Y) будут отключены следующие компоненты безопасности:
- Поддержка Центр Безопасности (Windows Security Center) (службы wscsvc, SgrmBroker, драйверы Sgrm)
- Поддержка безопасности виртуализации (VBS, LUA, Exploit Guard, Windows Smart Control, Tamper Protection)
- SecHealthUI (UWP приложение)
- SmartScreen
- Поддержка Pluton и его служб
- Дополнительные настройки безопасности (важно на старых процессорах Intel, дает +30% производительности, так как по умолчанию были отключены уязвимости процессора Spectre и Meltdown)
Никаких другие компоненты ОС не трогаются. В том числе Windows Firewall, он же брандмауэр Защитника Windows остается в системе, — его как и раньше можно просто выключить в консоли, если не требуется.
Предусмотрена возможность интегрировать удаление Защитника в процесс установки ОС. Подробнее в первоисточнике.
Там же есть пример PowerShell кода, удаляющего Центр Безопасности из панели Настроек:
Если до удаления оно выглядит в Настройках так:
То после выполнения скрипта остается лишь:
Система стала ощутимо шустрее. Установка обновлений ОС не приводит к возврату Защитника:
Имею самую последнюю версию в итоге:
Специально для примера выбирал Windows 11 SE (она же CloudEdition), как наиболее тесно интегрированную с Защитником. Если вы хотите о нем забыть, — дело пары минут. Это не означает, что вам не нужен антивирус. Установите его после самостоятельно на свой вкус и настройте, в зависимости от профиля работы на ПК.
Как мне сообщают в комментариях, если у вас включен Контроль Учетных Записей (User Account Control), то при выполнении программы будут сложности под неадминистративным пользователем — не будет запроса о повышении привилегий, и запуска чего-либо под администратором. Исправляется легко, — зайдите под Администратором, отключите контроль учетных записей, перезагрузитесь. Если он нужен, после перезагрузки верните его назад. Сам функционал не удаляется, в Windows 10 сбрасываются флаги вызова повышения привилегий.
Я на этом завершаю, всем удачи, ставьте лайк, задавайте вопросы, отвечу. Так же веду свой канал тг, там много крутой и полезной инфы про сервисы и нейросети!
A GitHub project that disables Windows Defender and firewall is generating buzz among cybersecurity researchers.
Will Dormann, a senior vulnerability analyst at Vul Labs, posted about the GitHub project on a Mastodon cybersecurity instance.
“Somebody figured out the secret technique that 3rd-party AV uses to disable Microsoft Defender so that they themselves can run without interference,” Dormann wrote. “This tool uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.”
Dormann included a screen recording of the tool in action, and it appears to work effectively (screenshot below).
The GitHub project, simply called “No Defender,” is billed as “A fun way to disable windows defender + firewall.”
In a note on the project, repository owner “es3n1n” said they essentially reverse-engineered the API that antivirus vendors use to disable Windows Defender.
Your browser does not support the video tag.
“There’s a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there’s some other antivirus in the hood and it should disable Windows Defender,” the note states.
“This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation, so I decided to take an interesting approach for such a thing and used an already existing antivirus called Avast. This AV engine includes a so-called wsc_proxy.exe service, which essentially sets up the WSC API for Avast. With a little bit of reverse engineering, I turned this service into a service that could add my own stuff there.”
One limitation noted by es3n1n is that “to keep this WSC stuff even after reboot, no-defender adds itself (not really itself but rather Avast’s module) to the autorun. Thus, you would need to keep the no-defender binaries on your disk.”
Windows Defender Bypass Requires Admin Privileges
EDR (endpoint detection and response) and antivirus software bypasses aren’t uncommon, as hackers and researchers alike have found ways to disable security defenses.
Security researchers and testers often turn off security defenses in the course of research and testing, so such tools have legitimate uses too. As one commenter noted on the ycombinator Hacker News feed, “Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later…For the vast majority of people this is a good thing!”
Dormann noted that elevated admin privileges are all that’s required to run the No Defender tool, so Windows users have yet another reason not to run Windows as an admin. “If you don’t log in to Windows as an admin, as we security-conscious people do, then you won’t have as much to worry about,” Dormann wrote.
One Mastodon commenter saw the GitHub tool as an Avast flaw rather than Microsoft’s, noting that “it requires an executable signed with AuthentiCode SigningLevel 7 (“Signed by an Antimalware vendor whose product is using AMPPL”).
“I see this more as a vulnerability of the Avast wsc_proxy.exe component misused here that allows untrusted/unsigned code to interact with it,” said the commenter, who goes by the handle “faebudo.”
The Cyber Express reached out to Microsoft and Avast for comment and will update this article with any response. But Dormann told The Cyber Express the issue is “more of a novelty than a vulnerability per se. Admin-privileged users can do admin things. Which includes reconfiguring the system they’re on. Including kernel-level access.”
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.