All geek questions in one place

Windows Defender - Add Exclusions Folder Programmatically

I checked various keyloggers for research purposes and came across Refog:

https://www.refog.com/keylogger/

This program could catch many system events, but what really caught my attention was something else. The program created a hidden folder named Mpk, path C: \ Windows \ SysWOW64 \ Mpk. It was marked as a folder with operating system files because it was not visible until I checked Hide protected operating system files (recommended) . I think this can be done using the attrib command, for example, attrib +s +h "C:\Windows\SysWOW64\Mpk" so that is nothing revolutionary.

Hide

However, they also added an exception to Windows Defender for this folder. How can they do this programmatically? I am using Windows 10 Pro x64.

Exclusion

+7
source share
5 answers

After some digging, I found the following folder:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

I can not add the key with my user. I get the following error: Cannot create key: You do not have the requisite permissions to create a new key under Paths

However, SYSTEM, WinDefend and TrustedInstaller have full access. It’s best to assume that they used something like DevxExec devxexec.exe/user:TrustedInstaller cmd and wrote the key into the registry.

Enter image description here

+5
source

The right way to do this is to use the Add-MpPreference PowerShell cmdlet. Use this cmdlet to add exceptions to filename extensions, paths, and processes, and to add default actions for high, medium, and low threats.

You can easily do this from an elevated command prompt on Windows 10 using the following command line:

 powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Mpk"
+9
source

The easiest way to do this is to use PowerShell from CMD with elevated privileges (for example, using a balrobic answer ), but you can also use PowerShell environment variables to simplify your life; eg:

 powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\Downloads

which will add the current user downloads folder, for example. C: \ Users \ Susana \ Downloads.

To get a list of the environment variables provided by PowerShell, you can use this PowerShell command:

 Get-ChildItem Env: | Sort Name

As you can see, there is a windir variable. They can use this in addition to the subfolders you specify.

+1
source

Go to powershell

Add-MpPreference -ExclusionPath "C: \ Temp"

Link: https://docs.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=win10-ps

0
source

Run in elevated shell mode (find cmd in the Start menu and press Ctrl + Shift + Enter ).

 powershell -Command Add-MpPreference -ExclusionPath "C:\tmp" powershell -Command Add-MpPreference -ExclusionProcess "java.exe" powershell -Command Add-MpPreference -ExclusionExtension ".java" powershell -Command Remove-MpPreference -ExclusionExtension ".java"
0
source

Source: https://habr.com/ru/post/1258737/

More articles:


All Articles