问题
I was checking out different keyloggers for research purposes and stumbled upon Refog:
https://www.refog.com/keylogger/
This program could catch a lot of system events, but what really caught my attention was something else. The program created a hidden folder called Mpk, path C:\Windows\SysWOW64\Mpk. It was marked as an operating system files folder, because it was not visible until I unmarked Hide protected operating system files (recommended). This, I guess, can be done via the attrib command like this attrib +s +h "C:\Windows\SysWOW64\Mpk" so nothing revolutionary.
However they also added an exclusion to Windows Defender for this folder. How can they do this programmatically? I'm running Windows 10 Pro x64.
回答1:
The correct way to do this is using the Add-MpPreference PowerShell cmdlet. Use this cmdlet to add exclusions for file name extensions, paths, and processes, and to add default actions for high, moderate, and low threats.
You can easily perform this from the elevated cmd shell in Windows 10 using the following command line:
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Mpk"
回答2:
After some digging I found the following folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
I cannot add a key there with my user. I get the following error: Cannot create key: You do not have the requisite permissions to create a new key under Paths
However SYSTEM, WinDefend and TrustedInstaller all have Full Control. The best guess is that they have used something like DevxExec devxexec.exe /user:TrustedInstaller cmd and written the key to the registry.
回答3:
Run in elevated shell (search cmd in Start menu and hit Ctrl+Shift+Enter).
powershell -Command Add-MpPreference -ExclusionPath "C:\tmp"
powershell -Command Add-MpPreference -ExclusionProcess "java.exe"
powershell -Command Add-MpPreference -ExclusionExtension ".java"
powershell -Command Remove-MpPreference -ExclusionExtension ".java"
- Add an exclusion to Windows Security
- Modifies settings for Windows Defender from PowerShell
- Removes exclusions or default actions
回答4:
The easiest way to do this is using PowerShell from CMD with elevated privileges (like balrob's answer), but you can also use the PowerShell environment variables to make your life easier; for example:
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\Downloads
which will add current user's Downloads folder, eg. C:\Users\Susana\Downloads.
To get the list of environment variables provided by PowerShell, you can use this PowerShell command:
Get-ChildItem Env: | Sort Name
As you can see, there is the windir variable. They could use that in addition with the subfolders you mentioned.
回答5:
Go to powershell
Add-MpPreference -ExclusionPath "C:\Temp"
Reference: https://docs.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=win10-ps
来源:https://stackoverflow.com/questions/40233123/windows-defender-add-exclusion-folder-programmatically