I can't turn off Real Time Protection via Powershell

Question

I want to try reverse shell. I tried to turn off Real Time Protection using Powershell command: Set-MpPreference -DisableRealtimeMonitoring $true

But it doesn't work. I am pretty sure I did everything right. I opened it as administrator and ran the command. I tried restarting the windows, but it still doesn't work

`(Get-MpPreference).DisableRealtimeMonitoring` still appears as False after running Set? — Santiago Squarzon, Mar 12 '21 at 19:21
I don't see any issue with your command, what happens if you try the same from the GUI? Does it get disabled, do you see it as True in PS? — Santiago Squarzon, Mar 12 '21 at 19:30
What happens if you stop the service first and then set the attribute? `get-service windefend | Stop-Service -Force` — Santiago Squarzon, Mar 12 '21 at 19:39
I confirmed the same behavior on one of my lab systems. No error, says it's updating when using `verbose`. Can disable in GUI. Even then can't set back to enabled in PS. — Doug Maurer, Mar 12 '21 at 19:40
@santisq Stop-Service : Service 'Microsoft Defender Antivirus Service (windefend)' cannot be stopped due to the following error: Cannot open windefend service on computer '.'. — Məhəmməd Abbaslı, Mar 12 '21 at 19:42
something is definitely wrong with my windows. Can it be because this is education edition of windows? — Məhəmməd Abbaslı, Mar 12 '21 at 19:43
Could this be a duplicate of [Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly](https://stackoverflow.com/questions/48960190/powershell-set-mppreference-disablerealtimemonitoring-true-not-working-correct) ? — Theo, Mar 13 '21 at 11:16

score 0 · Answer 1 · answered May 06 '21 at 00:42

Make sure you also turn off firewall, too. In PowerShell use this command:

netsh advfirewall set all profiles state off

This should do the trick; just tested it with reverse shell in Empire.

Also, keep in mind that uponr reboot, Realtime Monitoring is activated again (if you want persistence, you should find a workaround). Firewall, though, remains deactivated until you enable it again.

score 0 · Answer 2 · answered Nov 30 '21 at 18:31

0

I found it guys. I had to turn the tamper protection off. But I found no way to turn it off via powershell on internet

answered Nov 30 '21 at 18:31

Məhəmməd Abbaslı

11
3

I can't turn off Real Time Protection via Powershell

2 Answers2