Tutorial Prevent Windows Defender tampering (Latest virus activity)

[trumpthatbitch]

You can also further harden your PC with group policy editor (MMC-run as admin) :

1. Search for MMC, run as admin and then press Enter. You can also run MMC by using CMD-Run as admin-MMC and then enter
2. On the File menu, click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Local Group Policy Editor, and then click Add.
4. In the Select Group Policy Object dialog box, click ok..

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\Exclusions

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus

Preview Channel will allow you to receive the latest threat infromation.
Potentially unwanted application maybe you want off it could affect other pirated games or software would suggest turning on then off if you find annoying at least set to audit mode for tracking


Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\MpEngine

Specify the extended cloud check time in seconds: 50
Select cloud blocking level: High blocking level
or
Select cloud blocking level: High+ blocking level


Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\MAPS

Sent send safe samples automatically

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\Quarantine

Set to 5days for auditing purposes

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\Real-time Protection

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\Scan

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell

Execution Policy: Allow only signed scripts

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

To make changes to group policy on Windows Home you need to enable group policy via a workaround:

You must be registered to see the links

 

[trumpthatbitch]

Some additonal settings for Windows Defender to harden windows

ASR Rule Name Globally Unique Identifier

Block abuse of exploited vulnerable signed drivers
56a863a9-875e-4185-98a7-b882c64b5ce5

Block Adobe Reader from creating child processes
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Block all Office applications from creating child processes
d4f940ab-401b-4efc-aadc-ad5f3c50688a

Block credential stealing from the Windows local security authority subsystem (lsass.exe)
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Block executable content from email client and webmail
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

Block executable files from running unless they meet a prevalence, age, or trusted list criterion
01443614-cd74-433a-b99e-2ecdc07bfc25

Block execution of potentially obfuscated scripts
5beb7efe-fd9a-4556-801d-275e5ffc04cc

Block JavaScript or VBScript from launching downloaded executable content
d3e037e1-3eb8-44c8-a917-57927947596d

Block Office applications from creating executable content
3b576869-a4ec-4529-8536-b80a7769e899

Block Office applications from injecting code into other processes
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84

Block Office communication application from creating child processes
26190899-1602-49e8-8b27-eb1d0a1ce869

Block persistence through WMI event subscription
e6db77e5-3df2-4cf1-b95a-636979351e5b

Block process creations originating from PSExec and WMI commands
d1e49aac-8f56-4280-b9ba-993a6d77406c

Block untrusted and unsigned processes that run from USB
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Block Win32 API calls from Office macros
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

Use advanced protection against ransomware
c1db55ab-c21a-4637-bb3f-a12568109d35

Strikethrough for nonrecommended settings.

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender
Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction

Configure Attack Surface Reduction rules Enabled

Set the state for each ASR rule example: