Turn off Defender in Windows with symbolic links

Sicherheit (Pexels, allgemeine Nutzung)[German]Symbolic links allow to disable Defender as antivirus protection under Windows without disabling features like Tamper Protection. The approach simply lets Defender run into the woods during scanning, because the virus scanner is redirected to other folders. I came across some advice to this effect some time ago, which I'd like to discuss briefly.


Advertising

The attac vector came to my attention via the following tweet, the related explanations can be found in the article Killing Defender through NT symbolic links redirection.

Defender unter Windows ausknipsen

It only requires administrator privileges to prevent Defender from doing its job under Windows. It is not even necessary to access the GUI of the operating system to disable Tamper Protection. All you need to do is to use the NT symbolic link

\Device\BootDevice

redirect. The directory specification is part of the NT path from which the WdFilter driver binary is loaded by Defender. When loading a driver in Windows, there are two ways to specify where the driver binary is located in the file system: Win32 paths and NT paths.


Advertising

Win32 paths are a stripped-down version of the more comprehensive NT paths and rely heavily on NT symbolic links. A Win32 path to the filter driver then looks like this:

C:\Windows\System32\Driver\wd\WdFilter.sys

while the NT path is written as follows:

\Device\HarddiskVolume4\Windows\System32\Driver\wd\WdFilter.sy

NT paths can contain symbolic NT links. The authors of the linked article have created code to redirect the NT paths in question to other directory contents on a drive using symbolic links. Defender then continues to run, but can no longer scan anything useful.

This technique can also be used to make Defender load an arbitrary driver that cannot be found by any tool, but which does not survive a reboot. The code to do this is in APTortellini's Github repository unDefender. Details of the concept can be found in the article here.


Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).