Microsoft Says That It Won't Allow Windows Defender To Be Disabled Via Registry To Support A Security Feature Called Tamper Protection

With the release of Windows 10 version 1903, Microsoft rolled out a new Tamper Protection security feature. This feature protects security settings for Defender antivirus from being disabled by third-party programs or malware. The company has now confirmed that it no longer let Defender to be disabled via the Windows 10 Registry to support this security feature. Microsoft Defender will now only be disabled via Windows Settings or when another antivirus is installed on the PC.

When the Tamper Protection security feature is enabled, it will only allow Windows Defender related settings to be changed when done via the Security settings screen. If any third-party program like malware, or ever PowerShell tries to change security settings, the Tamper Protection security feature will block the settings from being changed. Therefore, this feature is an integral part of the Windows 10 security environment, and you should enable this feature for increased protection from malware and malicious programs.

Previously, Microsoft Defender could be disabled by using the ‘Turn off Microsoft Defender Antivirus’ group policy. After this group policy is enabled, a ‘DisableAntiSpyware’ Registry value is created. This Registry value is set to 1 under HKEY_LOCAL_MICHINE/SOFTWARE/Policies/Microsoft/Windows Defender. Once this key is enabled, it will turn off Defender antivirus and third-party security software as well as applications.

Recently, we reported that Microsoft Defender would no longer be disabled via the Registry value since it is no longer needed. The company removed the ability to disable third-party security software and Defender via the Windows 10 Registry to prevent malware from tampering with security and protection settings. In the support documentation for DisableAntiSpyware, the company wrote that this setting is no longer necessary since the Defender will automatically turn itself off if another antivirus program is detected.


It is important to note that the Tamper Protection security feature is available in all Home as well as Pro editions of Windows 10 v1903 and higher. The feature is enabled by default.

However, BleepingComputer reported that its extensive testing has revealed that even with the Tamper Protection feature enabled, the Registry value worked briefly. According to BleepingComputer, when the feature is enabled and a malware rebooted the PC, Defender antivirus would be disabled for that specific session. And the Tamper Protection feature would kick in on the next reboot, and Windows Defender will be enabled again. BleepingComputer has reported on several infections who have particularly targeted Defender by disabling Microsoft Defender using the ‘DisableAntiSpyware’ Registry. According to BleepingComputer, the company has removed this policy not only as it is no longer necessary, but also to prevent hackers from exploiting it.



Read next: Microsoft had known about the spoofing vulnerability for almost two years, but it released Windows security patch just now

No comments:

Post a Comment