Can't get around this error message

Question

Can't get around this error message

BlohoJo opened this issue 4 years ago · comments

ConfigureDefender 3.0.0.1
Windows 10 Pro x64 Update 2004

Signed on as admin. User Account Control disabled. Running ConfigureDefender as admin.

Tried disabling "Scan all downloaded files and attachments." Restart ConfigureDefender and it's back on. Tried setting it to disabled again and hitting "Refresh" button, get this error:

(Using classic themes)

Not sure where to look as to what could be causing PowerShell from changing registry settings. I have other programs that use PowerShell to change the registry and they work without issue.

I don't have any other security programs installed, just Windows Defender.

BlohoJo · Answer 1 · Tue Dec 15 2020 01:32:51 GMT+0800 (China Standard Time)

I was able to configure this setting using the Local Group Policy Editor (C:\Windows\System32\gpedit.msc):

Local Computer Policy -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Real-time Protection -> Scan all downloaded files and attachments -> Disabled

I can close and restart gpedit.msc and see the setting is retained. I checked the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, and DisableIOAVProtection is set to 1.

But when I run ConfigureDefender, it still shows that this setting is "ON".

???

BlohoJo · Answer 2 · Tue Dec 15 2020 02:13:36 GMT+0800 (China Standard Time)

I looked into this some more. It appears that ConfigureDefender is trying to change this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection -> set Dword DisableIOAVProtection to 1

If Windows Defender real time protection is turned on, it disallows writing to this registry key, even if permissions & ownership of the key is set to Administrator. If you disable real time protection, you can then write this value to the key. But if real time protection is re-enabled, the DisableIOAVProtection Dword will be completely erased.

Looks like ConfigureDefender is going to have to instead use the policy key (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection) to set this value... I haven't checked other settings yet.

AndyFul · Answer 3 · Thu Dec 24 2020 02:17:49 GMT+0800 (China Standard Time)

Hi BlohoJo,
Two ConfigureDefender settings are prevented from changes by Windows Defender Tamper Protection:

Behavior monitoring
Scan all downloaded files and attachments

When trying to change them you get the alert you posted about.

mikhoul · Answer 4 · Thu Dec 24 2020 11:38:06 GMT+0800 (China Standard Time)

Maybe if runned as Trusted Installer it could work ?

https://winaero.com/execti-run-programs-trustedinstaller/

AndyFul · Answer 5 · Fri Dec 25 2020 21:21:35 GMT+0800 (China Standard Time)

Nothing will help when Tamper Protection is enabled.
Anyway, there is no reason to disable the options that are protected by Tamper Protection.