27

I was checking out different keyloggers for research purposes and stumbled upon Refog:

https://www.refog.com/keylogger/

This program could catch a lot of system events, but what really caught my attention was something else. The program created a hidden folder called Mpk, path C:\Windows\SysWOW64\Mpk. It was marked as an operating system files folder, because it was not visible until I unmarked Hide protected operating system files (recommended). This, I guess, can be done via the attrib command like this attrib +s +h "C:\Windows\SysWOW64\Mpk" so nothing revolutionary.

Hide

However they also added an exclusion to Windows Defender for this folder. How can they do this programmatically? I'm running Windows 10 Pro x64.

Exclusion

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Ogglas
  • 62,132
  • 37
  • 328
  • 418

6 Answers6

32

The correct way to do this is using the Add-MpPreference PowerShell cmdlet. Use this cmdlet to add exclusions for file name extensions, paths, and processes, and to add default actions for high, moderate, and low threats.

You can easily perform this from the elevated cmd shell in Windows 10 using the following command line:

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Mpk"
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
balrob
  • 585
  • 6
  • 7
  • 3
    Worked perfectly, however if you have a space in your file path the command needs to be escaped, like this: `powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\sysconfig'"` – Ogglas Jul 10 '18 at 13:48
  • 1
    How can I do this with more than one path please? @balrob – JumpingJacks Jan 09 '19 at 14:26
  • 1
    A comma separated list (with no spaces around the comma) should do it, e.g `-ExclusionPath 'path1','path2'` – balrob Jan 10 '19 at 20:25
  • 1
    Use the following to confirm the changes: `powershell -inputformat none -outputformat text -NonInteractive -Command Get-MpPreference` – balrob Jan 10 '19 at 20:29
  • .. or check Windows Defender settings configuration in it to see the changes. – WesternGun May 20 '19 at 14:52
22

Run in elevated shell (search cmd in Start menu and hit Ctrl+Shift+Enter).

powershell -Command Add-MpPreference -ExclusionPath "C:\tmp"
powershell -Command Add-MpPreference -ExclusionProcess "java.exe"
powershell -Command Add-MpPreference -ExclusionExtension ".java"

powershell -Command Remove-MpPreference -ExclusionExtension ".java"
gavenkoa
  • 45,285
  • 19
  • 251
  • 303
  • Consider the risk it may cause: if you really exclude all the `Temp` folder, every app can download suspicious files and you won't get notified anymore. – WesternGun May 17 '19 at 08:17
  • 1
    You are right. As soon as it's not a system temp folder, it's fine. – WesternGun May 20 '19 at 14:51
  • adding java.exe exclusion is a serious security threat! – Tomasz Mar 19 '21 at 14:28
  • 1
    I like how you show both *adding* and *removing* an exclusion and also point to the correct documentation. I've used this to install NirLauncher from chocolatey, temporarily excluding the chocolatey directory (which is under the `%TEMP%` of the current user: not a location to permanently allow. Exclude: `powershell -Command Add-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch"` Install: `choco update --yes nirlauncher` Remove exclusion: `powershell -Command Remove-MpPreference -ExclusionPath` "%TEMP%\chocolatey\NuGetScratch"` – Jeroen Wiert Pluimers Jun 12 '21 at 11:19
  • 1
    For those who complains about security risks: those are just examples! Useful because it reports the three cases and the remove case. – Zac Dec 16 '21 at 14:23
11

After some digging I found the following folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

I cannot add a key there with my user. I get the following error: Cannot create key: You do not have the requisite permissions to create a new key under Paths

However SYSTEM, WinDefend and TrustedInstaller all have Full Control. The best guess is that they have used something like DevxExec devxexec.exe /user:TrustedInstaller cmd and written the key to the registry.

Enter image description here

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Ogglas
  • 62,132
  • 37
  • 328
  • 418
2

Go to powershell

Add-MpPreference -ExclusionPath "C:\Temp"

Reference: https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=win10-ps

randomguy
  • 357
  • 2
  • 9
  • Consider the risk it may cause: if you really exclude all the `Temp` folder, every app can download suspicious files and you won't get notified anymore. – WesternGun May 17 '19 at 08:16
1

The easiest way to do this is using PowerShell from CMD with elevated privileges (like balrob's answer), but you can also use the PowerShell environment variables to make your life easier; for example:

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\Downloads

which will add current user's Downloads folder, eg. C:\Users\Susana\Downloads.

To get the list of environment variables provided by PowerShell, you can use this PowerShell command:

Get-ChildItem Env: | Sort Name

As you can see, there is the windir variable. They could use that in addition with the subfolders you mentioned.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Mladen
  • 11
  • 2
0

Just thought that I would post this as it did take me a few seconds to figure out how to do this in C# but here is the code that is working for me:

        var elevated = new ProcessStartInfo("powershell")
        {
            UseShellExecute = false,
            CreateNoWindow = true,
            Verb = "runas",
            Arguments = " -Command Add-MpPreference -ExclusionPath '" + directory + "'"
        };
        Process.Start(elevated);
Edd
  • 703
  • 7
  • 23