Tuesday, May 17, 2022

Killing Defender through NT symbolic links redirection while keeping it unbothered


With Administrator level privileges and without interacting with the GUI, it’s possible to prevent Defender from doing its job while keeping it alive and without disabling tamper protection by redirecting the \Device\BootDevice NT symbolic link which is part of the NT path from where Defender’s WdFilter driver binary is loaded. This can also be used to make Defender load an arbitrary driver, which no tool succeeds in locating, but does not survive reboots. The code to do that is in APTort…

Read More

Latest news
Related news