diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index a96aa935..ab20205f 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -14963,20 +14963,43 @@ actions: # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. children: - - name: Disable "Microsoft Defender Antivirus Service" - # โ—๏ธ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` + name: Disable "Microsoft Defender Antivirus Service" (breaks `Set-MpPreference` cmdlet) docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + This script disables the "Microsoft Defender Antivirus Service" and its associated process (`MsMpEng.exe`). - ### Overview of default service statuses + This service is known both as "Microsoft Defender Antivirus Service" [1] [2] and "Windows Defender Service" [2]. + It is the primary component of Microsoft Defender Antivirus [2], essential for its functionality [1] [3]. + It runs the `MsMpEng.exe` executable [4] [5]. + This executable is also known as "Microsoft Defender Antivirus service executable" [6] or "Antimalware Service Executable" [1]. + The executable is located at `%PROGRAMFILES%\Windows Defender` [4] [5] [6] on modern Windows versions + and at `%PROGRAMFILES%\Microsoft Security Client` on older versions [6]. + It is crucial for the functionality of Microsoft Defender for Endpoint [6]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸข Running | Automatic | - | Windows 11 (โ‰ฅ 23H2) | ๐ŸŸข Running | Automatic | + Disabling this service interrupts the `Set-MpPreference` PowerShell cmdlet. + This cmdlet configures preferences for Windows Defender scans and updates [7]. + Attempting to use this cmdlet after disabling the service results in an error. + Here is an example: + + ``` + $ Set-MpPreference -Force -MAPSReporting 0 + + Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. + Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference. + ``` + + Disabling this service may optimize system performance by reducing resource usage. + + > **Caution:** Disabling this service: + > - May impair your ability to configure Defender scans and updates using PowerShell. + > - Decreases your security by affecting real-time malware protection. + + [1]: https://web.archive.org/web/20240609145624/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240609150337/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ "Microsoft Defender Antivirus Service - Windows 10 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240609144111/https://batcmd.com/windows/11/services/windefend/ "Microsoft Defender Antivirus Service - Windows 11 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [7]: https://web.archive.org/web/20240609150331/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" call: - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` @@ -14985,11 +15008,17 @@ actions: parameters: serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - # - # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # - + # # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsMpEng.exe - category: Disable Defender kernel-level drivers children: @@ -14997,7 +15026,8 @@ actions: - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service docs: |- - https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + - https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + - https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide ### Overview of default service statuses @@ -15026,6 +15056,7 @@ actions: docs: |- - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ + - https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide ### Overview of default service statuses @@ -15053,6 +15084,7 @@ actions: name: Disable "Microsoft Defender Antivirus Boot Driver" service docs: |- https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + https://web.archive.org/web/20240609145030/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide ### Overview of default service statuses @@ -15077,9 +15109,23 @@ actions: grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Network Inspection" service - docs: |- - - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ - - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + docs: |- # TODO: Revise + This script disables the "Microsoft Defender Antivirus Network Inspection" and its associated process (`NisSrv.exe`). + + This script disables `NisSrv.exe` process. + This process provides functionality to Microsoft Defender Antivirus Network Realtime Inspection [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on modern versions of Windows and + `%PROGRAMFILES%\Microsoft Security Client` on older versions of Windows [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + + TODO: https://batcmd.com/windows/10/services/wdnissvc/ + TODO: https://batcmd.com/windows/11/services/wdnissvc/ + TODO: https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows ### Overview of default service statuses @@ -15095,36 +15141,17 @@ actions: parameters: serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - # - # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # - + # # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - - - name: Disable "Windows Defender Advanced Threat Protection Service" service - docs: |- - https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (โ‰ฅ 22H2) | ๐Ÿ”ด Stopped | Manual | - | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | - call: - - - function: DisableServiceInRegistry - # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (23H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` - parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - function: SoftDeleteFiles + function: TerminateAndBlockExecution parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + executableNameWithExtension: NisSrv.exe - name: Disable "Windows Security Service" service docs: |- @@ -15156,11 +15183,182 @@ actions: parameters: serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthService.exe - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Core Service" process + docs: |- # TODO: Add docs about the service MdCoreSvc + This script disables `MpDefenderCoreService.exe` process. + + This process provides functionality to Microsoft Defender Antivirus Core Service [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on Windows 10 or Windows Server 2019 and above [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸก Missing | N/A | + | Windows 11 (โ‰ฅ 23H2) | ๐ŸŸก Missing | N/A | + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDefenderCoreService.exe + - + function: DisableService + parameters: + serviceName: MdCoreSvc # Check: (Get-Service -Name 'MdCoreSvc').StartType + defaultStartupMode: Automatic # Allowed values: Automatic | Manual + - + name: Disable "Microsoft Data Loss Prevention Service" service + docs: |- # TODO: Document MDDlpSvc + This script disables `MpDlpService.exe` process. + + This service is known as *Microsoft Data Loss Prevention Service* [2] [1], + *Microsoft Endpoint DLP service* [2] or *Microsoft Purview Data Loss Prevention Service* [1]. + This service is technically known as `MDDlpSvc` [3]. + This service runs `MpDlpService.exe` process [3] [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on Windows 10 or Windows Server 2019 and above [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + This service belongs to Microsoft Defender Antivirus [3]. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸก Missing | N/A | + | Windows 11 (โ‰ฅ 23H2) | ๐ŸŸก Missing | N/A | + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + [3]: https://techcommunity.microsoft.com/t5/public-sector-blog/december-2023-microsoft-365-us-public-sector-roadmap-newsletter/ba-p/4010161#toc-hId-115986265 + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDlpService.exe + - + function: DisableService + parameters: + serviceName: MDDlpSvc # Check: (Get-Service -Name 'MDDlpSvc').StartType + defaultStartupMode: Automatic # Allowed values: Automatic | Manual + - + category: Disable Defender processes + children: + - + name: Disable "Microsoft Malware Protection Copy Accelerator Utility" process + docs: |- # TODO: Revise docs + https://www.freefixer.com/library/file/MpCopyAccelerator.exe-308540/ + https://www.reddit.com/r/WindowsHelp/comments/prbaxw/microsoft_malware_protection_copy_accelerator/ + https://www.file.net/process/mpcopyaccelerator.exe.html + https://forum.romexsoftware.com/en-us/viewtopic.php?t=5358 + + According to test this file does not exist on Windows 10 since 22H2 but exists on Windows 11 since 23H2. + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpCopyAccelerator.exe + # - + # # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\MpCopyAccelerator.exe' + # grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + name: Disable "Microsoft Defender Antivirus command-line utility" process + docs: |- # TODO: Revise docs + This script disables `MpCmdRun.exe` process. + + This process provides functionality to Microsoft Defender Antivirus command-line utility [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on modern versions of Windows and + `%PROGRAMFILES%\Microsoft Security Client` on older versions of Windows [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + + TODO: https://learn.microsoft.com/en-us/defender-endpoint/command-line-arguments-microsoft-defender-antivirus + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpCmdRun.exe + # - + # # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\MpCmdRun.exe' + # grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + name: Disable "Microsoft Endpoint DLP command-line utility" process + docs: |- # TODO: Revise docs + This script disables `MpDlpCmd.exe` process. + + This process provides functionality to Microsoft Endpoint DLP command-line utility [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on Windows 10 or Windows Server 2019 and above [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + According to tests, this file exists since Windows 11 23H2, but not on Windows 10 since 22H2. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDlpCmd.exe + # - + # # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\MpCmdRun.exe' + # grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + name: Disable "Microsoft Security Client Policy Configuration Tool" process + docs: |- # TODO: Revise docs + This script disables `ConfigSecurityPolicy.exe` process. + + This process provides functionality to Microsoft Security Client Policy Configuration Tool [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on modern versions of Windows and + `%PROGRAMFILES%\Microsoft Security Client` on older versions of Windows [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + + TODO: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: ConfigSecurityPolicy.exe + # - + # # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe' + # grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 - category: Disable SmartScreen docs: @@ -15451,6 +15649,610 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f + - + category: Disable Microsoft Defender for Endpoint + docs: |- # TODO: Revise docs + Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise + networks prevent, detect, investigate, and respond to advanced threats [1]. + + This product was previously known as **Microoft Defender Advanced Threat Protection (ATP)** [2]. + Some of the components of Microsoft Defender for Endpoint are built-in and shipped by default on Windows [3]. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint + [2]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [3]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + children: + # TODO: + # - + # HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + # AllowSampleCollection + # https://github.com/MicrosoftDocs/defender-docs/blob/2b814ab6f6275714ef5bd4362a9f432469bb2a3a/defender-endpoint/configure-endpoints-script.md?plain=1#L74-L93 + # - + # Remove User identifier + # HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection!senseGuid + # https://github.com/AdamGrossTX/microsoft-365-docs/blob/416039e67062561bfb6013dcdda98966e1025655/microsoft-365/compliance/device-onboarding-vdi.md?plain=1#L138 + # TODO: Google more about `SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - + name: Disable "Windows Defender Advanced Threat Protection Service" service + docs: |- # refactor-with-variables: Same โ€ข Defender For Endpoint Caution + This script disables the "Windows Defender Advanced Threat Protection Service" and + its associated process (`MsSense.exe`). + + This service is part of **Windows Defender Advanced Threat Protection (ATP)** component [1] [2]. + This component was later renamed to **Microsoft Defender for Endpoint** [3]. + This service provides crucial functionality for Microsoft Defender for Endpoint [4] [5]. + + It monitors and reports security events, helping assess threats [1] [2]. + Disabling this service enhances privacy by minimizing the collection of potentially personal and sensitive data. + This action may also improve system performance by stopping unnecessary processes. + However, it may reduce security, as it diminishes the system's ability to detect and manage threats. + + The service operates through the `MsSense.exe` executable [1] [2]. + This file is located in: + - `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on newer systems [1] [2] [4] + - `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` on older systems [3]. + + > **Caution:** + > This may impair your system's ability to monitor and report on security threats effectively. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (โ‰ฅ 22H2) | ๐Ÿ”ด Stopped | Manual | + | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | + + [1]: https://web.archive.org/web/20240609160216/https://batcmd.com/windows/10/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 10 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + [3]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [4]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistryAsTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsSense.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + name: Disable SENSE feature + docs: |- # refactor-with-variables: Same โ€ข Defender For Endpoint Caution + This script disables the SENSE feature. + + SENSE is a behavioral sensor for Defender [1]. + It was initially part of *Microsoft Defender Advanced Threat Protection (ATP)* [1]. + IT is now a feature of **Microsoft Defender for Endpoint** after the product was renamed [2]. + + SENSE collects data to support security operations [1]. + This user behavior monitoring poses privacy concerns. + + Disabling SENSE enhances privacy by reducing data collection. + It may also improve system performance by eliminating unnecessary processes. + However, turning off this feature may compromise your system's security by weakening its ability + to detect and manage threats. + + The script modifies the registry key `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!SenseEnabled` + to disable the SENSE feature. While not officially documented, this key affects various Defender components, + including threat assessment [3], SmartScreen [4], the Sense service [5], and the Defender process [6]. + + > **Caution:** + > This may impair your system's ability to monitor and report on security threats effectively. + + [1]: https://web.archive.org/web/20180302010434/https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection "Review events and errors on endpoints with Event Viewer | Microsoft Docs | web.archive.org" + [2]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [3]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/ThreatAssessment.dll.strings#L12405 "10_0_22621_1028/C/Windows/System32/ThreatAssessment.dll.strings at 3e002a687dbcd05bebe48401714021cf670c5bd8 ยท privacysexy-forks/10_0_22621_1028 ยท GitHub | github.com" + [4]: https://github.com/privacysexy-forks/10_0_22621_891/blob/fde7af7776698377aceb48a54bcf7bedaadd5c2d/C/Windows/System32/smartscreen.dll.strings#L14704 "10_0_22621_891/C/Windows/System32/smartscreen.dll.strings at fde7af7776698377aceb48a54bcf7bedaadd5c2d ยท privacysexy-forks/10_0_22621_891 ยท GitHub | github.com" + [5]: https://github.com/privacysexy-forks/10_0_17763_1/blob/6151931b169f55ce8b8581c39bb508a661e4085b/C/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.17763.1_none_98eaa6f2e75e3772/MsSense.exe.strings#L9704 "10_0_17763_1/C/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.17763.1_none_98eaa6f2e75e3772/MsSense.exe.strings at 6151931b169f55ce8b8581c39bb508a661e4085b ยท privacysexy-forks/10_0_17763_1 ยท GitHub | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MsMpEng.exe.strings#L522 "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MsMpEng.exe.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d ยท privacysexy-forks/10_0_22000_1165 ยท GitHub | github.com" + call: + function: RunInlineCodeAsTrustedInstaller + # โŒ Fails with "ERROR: Access is denied." in Windows 11 Pro (โ‰ฅ 23H2) and Windows 10 Pro (โ‰ฅ 22H2) + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "SenseEnabled" /t REG_DWORD /d "1" /f + revertCode: >- # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "SenseEnabled" /f 2>nul + - + name: Disable "Microsoft Defender for Endpoint communication module" process + docs: |- # TODO: Revise docs + This script disables `SenseCnCProxy.exe` process. + + This process provides functionality to rosoft Defender for Endpoint communication mod [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseCnCProxy.exe + - + name: Disable "Microsoft Defender for Endpoint Sense IR (Incident Response) module" process + docs: |- # TODO: Revise docs + This script disables `SenseIR.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense IR (Incident Response) module [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseIR.exe + - + name: Disable "Microsoft Defender for Endpoint Sense CE (Classification Engine) module" process + docs: |- # TODO: Revise docs + This script disables `SenseCE.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense CE (Classification Engine) module [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification` on Windows 10 + or Windows Server 2019 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseCE.exe + - + name: Disable "Microsoft Defender for Endpoint Sample Upload module" process + docs: |- # TODO: Revise docs + This script disables `SenseSampleUploader.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sample Upload module [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseSampleUploader.exe + - + name: Disable "Microsoft Defender for Endpoint Sense NDR (Network Detection and Response) module" process + docs: |- # TODO: Revise docs + This script disables `SenseNdr.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense NDR (Network Detection and Response) module [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2019 and above [1] [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseNdr.exe + - + name: Disable "Microsoft Defender for Endpoint Sense SC (Screenshot Capture) module" process + docs: |- # TODO: Revise docs + This script disables `SenseSC.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense SC (Screenshot Capture) module [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2019 and above [1] [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseSC.exe + - + name: Disable "Microsoft Defender for Endpoint Sense CM (Configuration Management)" process + docs: |- # TODO: Revise docs + This script disables `SenseCM.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense CM (Configuration Management) [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseCM.exe + - + name: Disable "Microsoft Defender for Endpoint Sense TVM (Threat Vulnerability Management)" process + docs: |- # TODO: Revise docs + This script disables `SenseTVM.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense TVM (Threat Vulnerability Management) [1]. + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseTVM.exe + - + category: Disable Defender for Endpoint connectivity checks + docs: |- # refactor-with-variables: Same โ€ข Defender Connectivity Checks Caution + This category includes scripts to disable tools that perform connectivity tests required for Defender for Endpoint to function properly. + + Defender requires communication with specific URLs [1] and processes [2]. + These tools verify this communication [3]. + + Disabling these tools reduces the amount of data sent to Microsoft, thus enhancing your privacy by limiting external access to your information. + However, this action may compromise the security functionality of Defender for Endpoint. + + > **Caution:** Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240706095956/https://learn.microsoft.com/en-us/defender-endpoint/configure-environment "Configure your network environment to ensure connectivity with Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable "Microsoft Defender for Endpoint Client Analyzer" process + docs: |- # refactor-with-variables: Same โ€ข Defender Connectivity Checks Caution + This script disables `MDEClientAnalyzer.exe` process. + + This process verifies connectivity to Microsoft's cloud services [1]. + The tool tests connections to specific cloud service URLs, crucial for the proper function of Microsoft Defender for Endpoint [1]. + It is designed for modern Windows operating systems [1]. + + Disabling this process improves privacy by preventing data from being sent to Microsoft and potentially inspected. + However, this reduces Defender for Endpoint's security effectiveness and may cause connectivity issues with Microsoft services. + + > **Caution:** Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MDEClientAnalyzer.exe + - + name: Disable outdated "Microsoft Defender for Endpoint Client Analyzer (Previous Version)" process + docs: |- # refactor-with-variables: Same โ€ข Defender Connectivity Checks Caution + This script disables the `MDEClientAnalyzerPreviousVersion.exe` process. + + This tool performs connectivity tests on older versions of Windows and editions using the outdated Microsoft Monitoring Agent (MMA) [1]. + + The process tests connectivity for Command and Control (CnC) URLs [1], crucial for the functionality of Defender for Endpoint. + + Disabling this tool enhances privacy by limiting data transmission to Microsoft, but it may decrease the security + functionality of Defender for Endpoint. + + > **Caution:** Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MDEClientAnalyzerPreviousVersion.exe + - + category: Disable outdated Microsoft Monitoring Agent (MMA) specific processes + docs: |- # TODO: Research done, revision needed + The old agent for Defender for Endpoint depends on Microsoft Monitoring Agent (MMA) [1]. + Microsoft Monitoring Agent (MMA) is a legacy component retired in August 2024 [1]. + + Before April of 2022, Defender for Endpoint required to use required the use of Microsoft + Monitoring Agent (MMA) [2]. + The new unified solution package makes it easier to onboard servers by removing dependencies and + installation steps [2]. It also provides a much expanded feature set [2]. + + Scripts in this category impairs the usage of Microsoft Monitoring Agent (MMA) for + other purposes such as Log Analytics [1]. + + Old systems such as Windows 7 SP1, Windows 8.1, or Windows Server 2008 R2 remain dependent + on MMA [1]. + + They ma improves privacy by.. + They can also improve systtem performance by.. + However they may reduce your security by.. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240707095718/https://learn.microsoft.com/en-us/defender-endpoint/update-agent-mma-windows "Update your agent on devices for Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707095722/https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints "Onboard Windows servers to the Microsoft Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable outdated "Microsoft Monitoring Agent Service Host Process" process + docs: |- # refactor-with-variables: Same โ€ข MMA Caution # TODO: Research done, revision needed + This script disables `MonitoringHost.exe` process. + + This process is known as Microsoft Monitoring Agent Service Host Process [1]. + It's also known as *Health Service Host Process* [6] or + *System Center Management Service Host Process* [6]. + + Disabling this process improves your performance as it's associated with high CPU usage [3] [5] and memory usage [4]. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\MonitoringHost.exe` [1] [2]. + This process is only found on outdated Microsoft Monitoring Agent deployments [2]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [2]. + This agent is used by Microsoft Defender for Endpoint [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + In System Center Operations Manager, management servers, gateway servers, and agents all execute a process called + MonitoringHost.exe [6]. + MonitoringHost.exe is used to accomplish monitoring activities such as executing a monitor or running a task [6]. + The other examples of the actions MonitoringHost.exe performs include [6]: + - Monitoring and collecting Windows event log data [6] + - Monitoring and collecting Windows performance counter data [6] + - Monitoring and collecting Windows Management Instrumentation (WMI) data [6] + - Running actions such as scripts or batches [6] + + This script improves privac by.. + It can also improve systtem performance by.. + However it may reduce your security by.. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707095408/https://support.microsoft.com/en-us/topic/the-monitoringhost-exe-process-may-consume-all-the-cpu-resources-when-a-large-amount-of-performance-data-is-created-by-using-a-managed-data-source-module-in-system-center-operations-manager-2007-02b514c3-9c69-a2ab-d03c-63f4d177c4a3 "The Monitoringhost.exe process may consume all the CPU resources when a large amount of performance data is created by using a managed data source module in System Center Operations Manager 2007 - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240707095403/https://support.microsoft.com/en-us/topic/the-monitoringhost-exe-process-on-the-system-center-operations-manager-2007-root-management-server-may-consume-more-than-2-gigabytes-of-memory-8ba36640-3d98-b636-463f-915985b8d45e "The MonitoringHost.exe process on the System Center Operations Manager 2007 root management server may consume more than 2 gigabytes of memory - Microsoft Support | support.microsoft.com" + [5]: https://web.archive.org/web/20240707095358/https://support.microsoft.com/en-us/topic/operations-manager-agents-consume-100-percent-of-cpu-resources-for-the-monitoringhost-exe-process-a0523d63-aead-a4cf-0a29-387b7147ed49 "Operations Manager agents consume 100 percent of CPU resources for the Monitoringhost.exe process - Microsoft Support | support.microsoft.com" + [6]: https://web.archive.org/web/20240707095353/https://www.file.net/process/monitoringhost.exe.html "MonitoringHost.exe Windows process - What is it? | file.net" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MonitoringHost.exe + - + name: Disable outdated "Health Service" process + docs: |- # refactor-with-variables: Same โ€ข MMA Caution # TODO: Research done, revision needed + This script disables `HealthService.exe` process. + + This process is ismply known as "Health Service" [4]. + This process provides functionality to Microsoft Monitoring Agent Service [1]. + + It runs timed scripts [4]. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\HealthService.exe` [1] [3]. + This process is only found on outdated Microsoft Monitoring Agent deployments [3]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [3]. + This agent is used by Microsoft Defender for Endpoint [3]. + + This component is associated with Microsoft Defender for Endpoint [1] [3]. + + HealthService.exe runs as a background process and monitors certain performance functions of your PC [5]. + + Disabling this service will disable prevent Heartbeat messages from being sent to Azure [2], + causing the computer to be listed as "unresponsive agent" in Azure Portal [2]. + + Preventing these messages from being sent improves your privacy. + It improves your system performance this process is associated with high memory usage [4] and CPU usage [5]. + However it may decrease your security. + + > **Caution:** + > -This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240707094531/https://learn.microsoft.com/en-us/services-hub/unified/health/assessments-troubleshooting "Troubleshooting the On-Demand Assessments (MMA) | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240707095334/https://support.microsoft.com/en-us/topic/when-the-health-service-healthservice-exe-runs-timed-scripts-in-system-center-operations-manager-2007-high-memory-usage-may-occur-ed41d3c6-8090-073e-be49-4d4f643c27d1 "When the Health Service (HealthService.exe) runs timed scripts in System Center Operations Manager 2007, high memory usage may occur - Microsoft Support | support.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: HealthService.exe + - + name: Disable outdated "Microsoft Monitoring Agent Cloud Connection Test utility" process + docs: |- # refactor-with-variables: Same โ€ข Defender Connectivity Checks Caution โ€ข MMA Caution # TODO: Research done, revision needed + This script disables `TestCloudConnection.exe` process. + + It's known as Microsoft Monitoring Agent connectivity tool [4]. + This process provides functionality to Microsoft Monitoring Agent Cloud Connection Test utility [1]. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent` [1]. + + This component is associated with Microsoft Defender for Endpoint [1] [4] [6]. + + This utility to used to verify that the computers can succesfully connect to Microsoft Monitoring Agent [2]. + + This utility is used to onboard "Microsoft Defender for Cloud" [3] [5]. + Disabling it impairs onboarding to "Microsoft Defender for Cloud". + + This process is outdated since April 2022, as Microsoft deprecates Microsoft Monitoring Agent (MMA) over + a *modern unified solution* as they call it [4]. + This process is only found on outdated Microsoft Monitoring Agent deployments [6]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [6]. + This agent is used by Microsoft Defender for Endpoint [6]]. + + It is used for testing connectivity to Cyber Data channel URLs [4]. + These URLs are specific web addresses that Microsoft Defender for Endpoint uses to transmit security data. + + Its executable is typically found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` [6]. + + This script improves privac by.. + It can also improve systtem performance by.. + However it may reduce your security by.. + + > **Caution:** + > - This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + > - Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240707094531/https://learn.microsoft.com/en-us/services-hub/unified/health/assessments-troubleshooting "Troubleshooting the On-Demand Assessments (MMA) | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707094548/https://learn.microsoft.com/en-us/defender-endpoint/verify-connectivity "Verify client connectivity to Microsoft Defender for Endpoint service URLs - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240707094522/https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components "Overview of the extensions that collect data from your workloads - Microsoft Defender for Cloud | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: TestCloudConnection.exe + - + name: Disable outdated "Performance Snapshot Helper" process + docs: |- # refactor-with-variables: Same โ€ข MMA Caution # TODO: Research done, revision needed + This script disables `MOMPerfSnapshotHelper.exe` process. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe` [1] [2]. + This process is Used to create list of performance counters available on this computer [2]. + It collects to collect performance counter information [3]. + + Disabling this process prevents data collection that improves your privcacy. + Disabling this process may increase your system performance as this process is historically associated with + high CPU usage [3]. + However, this action may reduce your security. + + This process is only found on outdated Microsoft Monitoring Agent deployments [1]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [1]. + This agent is used by Microsoft Defender for Endpoint [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707094412/https://www.herdprotect.com/momperfsnapshothelper.exe-6e485e17e7e3b92d2eb4baa1590ed30c325f60b8.aspx "Malware scan of MOMPerfSnapshotHelper.exe (Microsoft Monitoring Agent) 6e485e17e7e3b92d2eb4baa1590ed30c325f60b8 - herdProtect | www.herdprotect.com" + [3]: https://web.archive.org/web/20240707094404/https://support.microsoft.com/en-us/topic/the-momperfsnapshothelper-exe-process-crashes-or-experiences-high-cpu-usage-in-windows-server-2008-sp2-7e875ee5-b4a2-2441-997b-1eb1db1f26d2 "The MOMPerfSnapshotHelper.exe process crashes or experiences high CPU usage in Windows Server 2008 SP2 - Microsoft Support | support.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MOMPerfSnapshotHelper.exe + - + name: Disable outdated "The Health Service Lockdown Tool" process + docs: |- # refactor-with-variables: Same โ€ข MMA Caution + This script disables the `HSLockdown.exe` process. + + This process is located at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\HSLockdown.exe` [1] [2]. + This executable is known as *The Health Service Lockdown Tool* [2] [3] [4]. + It is used in outdated Microsoft Monitoring Agent deployments applicable to + Windows 8.1, Windows 7, and Windows Server 2008 R2 SP1 [1]. + + The Health Service Lockdown Tool uses command-line options to control and restrict which identities + can execute rules, tasks, or monitors [2]. + It can list accounts/groups, add or remove allowed or denied accounts/groups [2]. + It manages permissions by allowing or denying access to server components [2], including blocking + powerful accounts like `NT AUTHORITY\SYSTEM` [3]. + + While used with Microsoft Defender for Endpoint [1], disabling this tool also restricts the broader capabilities + of the Microsoft Monitoring Agent [1], potentially affecting other security operations. + + This script may also impair the discoverability of machines running the *Host Guardian Service* [4]. + This service verifies the security of a Hyper-V host before it runs protected virtual machines [5]. + + This script enhances privacy by removing a potential vulnerability in permission modifications, reducing + the risk of exposing sensitive server information. + It also limits the functionality of Microsoft Defender for Endpoint and Microsoft Monitoring Agent [1], + which are known to collect and transmit data [6]. + Disabling this process may enhance system performance by reducing resource use. + However, it can also reduce security by removing these protective measures. + + > **Caution:** + > - This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + > - This impairs permission management within the Microsoft Monitoring Agent. + + [1]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707094307/https://learn.microsoft.com/en-us/system-center/scom/manage-security-overview-hslockdown?view=sc-om-2022 "Control Access by Using the Health Service Lockdown Tool in Operations Manager | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707094301/https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/health-service-not-process-configuration-files "Health Service doesn't process configuration files - Operations Manager | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240707094246/https://download.microsoft.com/download/6/D/E/6DE8A2F5-4738-4AE4-BFD6-EC85FEF9677D/MPGuide_GuardedFabric.docx "Guide for System Center Management Pack for Microsoft Windows Guarded Fabric 2016 and above | Microsoft System Center | download.microsoft.com" + [5]: https://web.archive.org/web/20240707091846/https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms "Guarded Fabric and Shielded VMs overview | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240708203922/https://learn.microsoft.com/en-us/defender-endpoint/data-storage-privacy "Microsoft Defender for Endpoint data storage and privacy - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: HSLockdown.exe + - + name: Disable outdated "Microsoft Monitoring Agent in Control Panel" process + docs: |- # refactor-with-variables: Same โ€ข MMA Caution + This script disables the `AgentControlPanel.exe` process. + + The process is located at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe` [1]. + This process is part of the *Microsoft Monitoring Agent* interface [2] [3]. + This interface is also known as the *Microsoft Monitoring Agent Properties dialog box* [3]. + Microsoft Defender for Endpoint utilizes this agent [1]. + It appears in Control Panel [2] [3]. + Disabling it may limit the agent's capabilities and impair access to its settings via the Control Panel. + + The script targets only outdated Microsoft Monitoring Agent deployments on older operating systems + (Windows 8.1, Windows 7, and Windows Server 2008 R2 SP1) [1]. + + This script enhances user privacy by reducing the amount of data shared with Microsoft. + It also improves system performance by minimizing background activity on outdated systems. + However, it may also reduce security, as this process is integral to Microsoft Defender for Endpoint. + Disabling it could impair these crucial security functions. + + > **Caution:** + > - This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + > - This script impairs accessing Microsoft Monitoring Agent in Control Panel (Microsoft Monitoring Agent Properties dialog box). + + [1]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707091724/https://blog.tyang.org/2017/01/17/command-launching-microsoft-monitoring-agent-control-panel-applet/ "Command Launching Microsoft Monitoring Agent Control Panel Applet - Managing Cloud and Datacenter by Tao Yang | blog.tyang.org" + [3]: https://web.archive.org/web/20240707091715/https://learn.microsoft.com/en-us/troubleshoot/azure/azure-monitor/log-analytics/windows-agents/erased-proxy-settings-microsoft-monitoring-agent "Fix erased proxy settings in the Microsoft Monitoring Agent - Azure | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: AgentControlPanel.exe + - + name: Disable outdated "Microsoft Sensor" process + docs: |- # refactor-with-variables: Same โ€ข MMA Caution + This script disables the `MsSenseS.exe` process. + + The `MsSenseS.exe` process is known as the "sensor process" [1]. + It collects and sends sensor data to Microsoft [1]. + + This process is outdated and is only used by older versions of the Microsoft Monitoring Agent and Microsoft Defender for Endpoint [2]. + This process is found in environments running Windows 8.1, Windows 7, and Windows Server 2008 R2 SP1 [2]. + + It is typically located at + `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`, + but the exact subfolder numbers may vary [2]. + + Disabling this process helps protect your privacy by limiting the data collected and processed by external parties. + Additionally, it can improve system performance by alleviating high CPU usage commonly associated with this process [3]. + However, this may limit some functions of the Microsoft Monitoring Agent and Microsoft Defender for Endpoint. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240707085447/https://learn.microsoft.com/en-us/defender-endpoint/onboard-downlevel "Onboard previous versions of Windows on Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707085441/https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mssenses-exe-high-cpu-usage/m-p/2761276 "MsSenseS.exe high CPU usage - Microsoft Community Hub | techcommunity.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsSenseS.exe - category: Disable automatic updates docs: |-