Saturday, May 21, 2022

How to Bulk Add EXE Files to Windows Defender Firewall with Advanced Security in Windows 10


Intro:

I found myself needing to block all exe's in a folder from calling home and I didn't want them receiving anything from the mothership either. There were quite a few files to input and since you can't just drag and select a bunch of exe's from within the Windows Defender Firewall with Advanced Security to begin with, I was forced to write this batch file.

This batch file will search for all exe's in a folder (not recursive) and will add them as a blocked item in the Inbound & Outbound Rules section. If you need to search directories recursively then look at Solution #2.


Solution #1 (only search for exe's in the current folder):

1. Create a text file with the following contents and save it as "block-XYZ-in&out.bat" on the Desktop, where "XYZ" is the program name. You will move this file later. Make sure you do not miss the closing parenthesis at the end.

for %%G in ("C:\Program Files\YOUR-FOLDER-HERE\*.exe") do (

netsh advfirewall firewall add rule name="Blocked With Batchfile %%G" dir=in action=block program="%%G" enable=yes profile=any

netsh advfirewall firewall add rule name="Blocked With Batchfile %%G" dir=out action=block program="%%G" enable=yes profile=any

)
2. In the above file make sure you edit line 1 and change it to match the location you want to scan or this will fail.

3. You can change the name of the rules if you want.

4. Once you've made your modifications save the bat file, copy it to the folder location you have specified, and run it with admin credentials. So in this case drop the bat file in "C:\Program Files\YOUR-FOLDER-HERE\" and run it.

5. To open Windows Defender Firewall with Advanced Settings follow this: "Settings ➡ Windows Update & Security  Windows Security  Firewall & network protection  Advanced Settings (bottom)or "Right Click Start  Run  wf.mscas seen here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.

6. Check to make sure the items have been added in the firewall as blocked. If it doesn't refresh click on Inbound or Outbound Rules to refresh the list.


Solution #2 (search for exe's recursively aka down the folder tree we go):

1. Create a text file with the following contents and save it as "block-XYZ-in&out.bat" on the Desktop, where "XYZ" is the program name. You will move this file later. Make sure you do not miss the closing parenthesis at the end.

For /R "C:\Program Files\YOUR-FOLDER-HERE\" %%G IN (*.exe) do (

netsh advfirewall firewall add rule name="Blocked With Batchfile %%G" dir=in action=block program="%%G" enable=yes profile=any

netsh advfirewall firewall add rule name="Blocked With Batchfile %%G" dir=out action=block program="%%G" enable=yes profile=any

)
2. In the above file make sure you edit line 1 and change it to match the location you want to scan or this will fail.

3. You can change the name of the rules if you want.

4. Once you've made your modifications save the bat file, copy it to the folder location you have specified, and run it with admin credentials. So in this case drop the bat file in "C:\Program Files\YOUR-FOLDER-HERE\" and run it.

5. To open Windows Defender Firewall with Advanced Settings follow this: "Settings  Windows Update & Security  Windows Security  Firewall & network protection  Advanced Settings (bottom)or "Right Click Start  Run  wf.mscas seen here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.

6. Check to make sure the items have been added in the firewall as blocked. If it doesn't refresh click on Inbound or Outbound Rules to refresh the list.


Conclusion:

This is by far the fastest way I've been able to bulk add rules like this. Although it applies the same settings to the inbound and outbound rules, its only intention was to search through a file directory and have rules created quickly with minimal interaction.


Icon at top of post found here: https://www.pngwing.com/en/free-png-ydrnk

πŸ‘½

Friday, May 20, 2022

How to Run Program without Admin Privileges and Bypass UAC Prompt

 


Intro:

I ran into a particular issue with a client program when it ran nightly backups. I won't name this company as it's never a good idea to interrupt your enemy while he's making a mistake. I will say that they require this application to run as admin under Windows 10. For reasons that should be obvious, I won't be giving users admin rights or anything close to it anytime soon.


Problem:

So I need a way for this backup application to run but not prompt for the admin password.  The backup application is not triggered by a user but instead called up by the main program itself. To clarify there's two programs: "main.exe" and "backup.exe". "Main.exe" is the user application. Whenever the "main.exe" is set to run a backup it calls, "backup.exe" which in this case for some dumb reason needs to run as admin. Both applications are in the same folder in the root of the C:\ drive and only "backup.exe" requires to be run as admin. Yea idk ask the devs.

I was under the impression that during coding you would force the exe to require admin permissions if that file was trying to write to either "C:\Program Files", "C:\Program Files (x86)", and or "C:\ProgramData" as users do not have edit permissions in these folders.

However in this case the program, "main.exe" and "backup.exe" reside in "C:\Appli123\" which brings me back to why did "backup.exe" ever need admin permissions in the first place? If someone has a better understanding of this please leave a comment below.

Sunday, May 8, 2022

How to Disable Windows Defender on Windows 10/11 Pro & Enterprise


Intro:

This article is derived from a Reddit post I made a while back regarding the inability to completely turn off Windows Defender. The link to the Reddit post is located here, however if anything changes to this process after 05/08/22, I will only update this blog post here going forward. If someone happens to delete the Reddit post this document will still exist.

Do yourself a favor and read the entire article before acting.


Problem:

Microsoft Defender Antivirus should be disabled after the setting in Local Group Policy is enabled but for some reason the setting in group policy reverts to "Not Configured". I've restarted and tried over and over again about 4 times now. Initially this is the problem that was occuring, more of a glitch than anything.

I have detailed everything that I have tried as different Windows Updates have come along just as the Reddit post details, however the latest update as of 05/08/22 is number five. So skip to that if you want an answer on how to Disable Windows Defender in Windows 10 build 19044.1682. From the limited testing that I have done, this method will not work on any version of Windows 10 Home.

EDIT: 03/13/23 - Follow Update 6 for Windows 11 Pro & Enterprise


Solution(s):

IF YOU HAPPEN TO COME ACROSS THIS POST PLEASE READ UPDATE #5 BELOW FOR THE LATEST INFORMATION!

Original Instructions:

I know this won't work unless you disable tamper protection first. However it's not working as expected. Worked fine in v1909, didn't test v2004.
  1. Disable Tamper Protection.
  2. Restart (shouldn't have to but whatever)
  3. gpedit.msc - enable "Turn off Microsoft Defender Antivirus"
  4. gpupdate.exe
  5. Restart for good measure, refer to #2 ;)
Microsoft Defender Antivirus should be disabled but for some reason the setting in group policy reverts to "Not Configured". I've restarted and tried over and over again about 4 times now. Same problem. This has to be a glitch.


** Update #1 **
  1. Turn all Defender settings back on via control panel. Verified anything related to Defender is "Not Configured" in group policy.
  2. Restart.
  3. Disable Tamper Protection
  4. Restart
  5. gpedit.msc - enable "Turn off Microsoft Defender Antivirus"
  6. gpupdate.exe
  7. Restart agaaaaiiiiiinnnnnnnn
  8. Now it works as expected. It took forever (3-4 minutes) for Windows to check it's own setting and come back with....."Getting protection info" when you go into Windows Security.


** UPDATE #2 **
After a restart now it doesn't work again. It's still disabled in gpedit.msc lol. What the fuck is going on?


** UPDATE #3 **
Tried disabling via the registry:
  1. In the Windows Start menu or search box, enter regedit.exe, and then press Enter.The Registry Editor opens.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  3. In the right pane, right-click in the empty area, and then click New > DWORD (32-bit) Value.
  4. Enter DisableAntiSpyware, and press Enter.
  5. Double-click DisableAntiSpyware, and change "Value data" to 1.
  6. Restart the computer.Windows Defender is now disabled.
Side note: Scratch that idea. M$ disabled doing it this way and deletes the DisableAntiSpyware key for you, own its own🀦‍♂️: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware


** UPDATE #4 **
Several restarts later and toggling Tamper Protection on and off, it finally worked. Follow steps at beginning of post and omit step #2.


** UPDATE #5 - 05/08/22 **

A Reddit user stated that this method does not work. In my findings if you use Windows 10 Home 19044.1165 or 19044.1682 and a hack to enable "Local Group Policy Editor", disabling Windows Defender via group policy hacks on Windows 10 Home does not work.



** UPDATE #6 - 03/13/23 **

Updated this post for Windows 11 Pro & Enterprise. This has been tested with Version 22H2 (OS Build 22621.1344).

--------------------

Ok so here we go & remember we're treating these directions as if Windows Defender was still turned on and has its default settings (Not Configured in gpedit.msc):


Windows 10 Pro & Enterprise build # 19044.1165 ➡ Go straight to "gpedit.msc" and enable "Turn off Microsoft Defender Antivirus", reboot, and you're good to go.

Windows 10 Pro & Enterprise build # 19044.1682 ➡ Turn off "Tamper Protection" ➡ reboot ➡ "gpedit.msc" ➡ enable "Turn off Microsoft Defender Antivirus" ➡ reboot (if you don't do "gpupdate" you'll have to wait about 2 minutes and you'll see, "Getting Protection Info...." when you check the status of Windows Defender in Settings). You're good to go after this.

Windows 10 Pro & Enterprise build # 19044.1706 ➡ Turn off "Tamper Protection" ➡ reboot ➡ "gpedit.msc" ➡ enable "Turn off Microsoft Defender Antivirus" ➡ reboot and wait a few minutes before checking the status of "Virus & threat protection" as you'll see "Getting Protection Info...." when you check the status of Windows Defender in Settings. You're good to go after this and after Getting Protection Info stops loading you'll see the following in the Windows Security dialog box (see image below).

--------------------

Windows 11 Pro & Enterprise build # 22621.1344 & Windows Server 2022 21H2 ➡ Turn off "Tamper Protection" ➡ reboot ➡ "gpedit.msc" ➡ (Computer Configuration ➡ Administrative Templates ➡ Windows Components ➡ Microsoft Defender Antivirus ➡ enable "Turn off Microsoft Defender Antivirus) ➡ reboot and wait a few minutes before checking the status of "Virus & threat protection" as you'll see "Getting Protection Info...." when you check the status of Windows Defender in Settings. You're good to go after this and after Getting Protection Info stops loading you'll see the following in the Windows Security dialog box (see image below).

You may need to Toggle the Group Policy key more than once before it actually sets. Ask Microsoft about this one🀷‍♂️.

--------------------

Tamper Protection is located here:

Settings ➡ Update & Security ➡ Windows Security (left side) ➡ Virus & threat protection ➡ Virus & threat protection settings ➡ Tamper Protection (4th one down).


The Local Group Policy you're toggling above is located here:

Local Computer Policy ➡ Computer Configuration ➡ Administrative Templates ➡ Windows Components ➡ Microsoft Defender Antivirus ➡ Turn off Microsoft Defender Antivirus

--------------------

Reboot and check Settings ➡ Updates & Security ➡ Windows Security ➡ Virus & threat protection ➡ It should say, "Your Virus & threat protection is managed by your organization" in red. Under that it will say, "No active antivirus provider. Your device is vulnerable".

CTRL + ALT + DELETE ➡ Task Manager ➡ Details ➡ "msmpeng.exe" should not be running after you disable MS Defender. If it's still running please comment back here and I'll try to find a workaround.

If you decide to change the setting in Local Group Policy back to "Not Configured", reboot, wait approximately 5 minutes check status of Windows Defender (some settings will appear to be correct and most aren't), reboot, wait another 2-3 minutes and check again. Windows Defender will turn back on all the settings except Tamper Protection. You need to manually turn that back on. When you check the status again everything will be in the green.

Windows does not need to be activated to make any of the above changes.

Update # 3's side note is still valid in that Windows will delete the 32 bit DWORD key upon reboot.

--------------------

PS: Microsoft I'm tired of beta testing your "final products" and not being paid for it.





πŸ‘½