From 9cc2ffd2e6aef7cfcac16c69f21de790c0d326e8 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Mon, 30 Sep 2024 18:49:20 +0200 Subject: [PATCH] win: improve disabling defender processes with new - Categorize disabling Defender for Endpoint (TODO: TO new commit) - Add disabling missing Defender processes. - Improve documentation of affected scripts. --- src/application/collections/windows.yaml | 888 ++++++++++++++++++++++- 1 file changed, 863 insertions(+), 25 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index a96aa935..307b6f03 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -15100,31 +15100,6 @@ actions: # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 - - - name: Disable "Windows Defender Advanced Threat Protection Service" service - docs: |- - https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (β‰₯ 22H2) | πŸ”΄ Stopped | Manual | - | Windows 11 (β‰₯ 23H2) | πŸ”΄ Stopped | Manual | - call: - - - function: DisableServiceInRegistry - # Windows 10 (22H2): ❌ `DisableService` | βœ… `DisableServiceInRegistry` | βœ… `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | βœ… `DisableServiceInRegistry` | βœ… `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (23H2): ❌ `DisableService` | βœ… `DisableServiceInRegistry` | βœ… `DisableServiceInRegistryAsTrustedInstaller` - parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 - name: Disable "Windows Security Service" service docs: |- @@ -15161,6 +15136,110 @@ actions: parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + category: Disable Defender processes + children: + - + name: Disable "Microsoft Malware Protection Copy Accelerator Utility" process + docs: |- # TODO: Revise docs + https://www.freefixer.com/library/file/MpCopyAccelerator.exe-308540/ + https://www.reddit.com/r/WindowsHelp/comments/prbaxw/microsoft_malware_protection_copy_accelerator/ + https://www.file.net/process/mpcopyaccelerator.exe.html + https://forum.romexsoftware.com/en-us/viewtopic.php?t=5358 + + According to test this file does not exist on Windows 10 since 22H2 but exists on Windows 11 since 23H2. + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpCopyAccelerator.exe + # - + # # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\MpCopyAccelerator.exe' + # grantPermissions: 'true' # πŸ” Missing on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 + - + name: Disable "Microsoft Defender Antivirus command-line utility" process + docs: |- # TODO: Revise docs + This script disables `MpCmdRun.exe` process. + + This process provides functionality to Microsoft Defender Antivirus command-line utility [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on modern versions of Windows and + `%PROGRAMFILES%\Microsoft Security Client` on older versions of Windows [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + + TODO: https://learn.microsoft.com/en-us/defender-endpoint/command-line-arguments-microsoft-defender-antivirus + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + TODO: https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18 + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpCmdRun.exe + # - + # # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\MpCmdRun.exe' + # grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 + - + name: Disable "Microsoft Endpoint DLP command-line utility" process + docs: |- # TODO: Revise docs + This script disables `MpDlpCmd.exe` process. + + This process provides functionality to Microsoft Endpoint DLP command-line utility [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on Windows 10 or Windows Server 2019 and above [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + According to tests, this file exists since Windows 11 23H2, but not on Windows 10 since 22H2. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MpDlpCmd.exe + # - + # # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\MpCmdRun.exe' + # grantPermissions: 'true' # πŸ” Missing on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 + - + name: Disable "Microsoft Security Client Policy Configuration Tool" process + docs: |- # TODO: Revise docs + This script disables `ConfigSecurityPolicy.exe` process. + + This process provides functionality to Microsoft Security Client Policy Configuration Tool [1]. + + It's found at `%PROGRAMFILES%\Windows Defender` on modern versions of Windows and + `%PROGRAMFILES%\Microsoft Security Client` on older versions of Windows [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + + TODO: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide + TODO: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: ConfigSecurityPolicy.exe + # - + # # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 23H2 + # # Something like SoftDeleteFiles | RunAsTrustedInstaller would solve the issue. + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\ConfigSecurityPolicy.exe' + # grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - category: Disable SmartScreen docs: @@ -15451,6 +15530,765 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f + - + category: Disable Microsoft Defender for Endpoint + docs: |- # TODO: Revise docs + Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise + networks prevent, detect, investigate, and respond to advanced threats [1]. + + This product was previously known as **Microoft Defender Advanced Threat Protection (ATP)** [2]. + Some of the components of Microsoft Defender for Endpoint are built-in and shipped by default on Windows [3]. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint + [2]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [3]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + children: + # TODO: + # - + # HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + # AllowSampleCollection + # https://github.com/MicrosoftDocs/defender-docs/blob/2b814ab6f6275714ef5bd4362a9f432469bb2a3a/defender-endpoint/configure-endpoints-script.md?plain=1#L74-L93 + # - + # Remove User identifier + # HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection!senseGuid + # https://github.com/AdamGrossTX/microsoft-365-docs/blob/416039e67062561bfb6013dcdda98966e1025655/microsoft-365/compliance/device-onboarding-vdi.md?plain=1#L138 + # TODO: Google more about `SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - + name: Disable "Windows Defender Advanced Threat Protection Service" service + docs: |- # refactor-with-variables: Same β€’ Defender For Endpoint Caution + This script disables the "Windows Defender Advanced Threat Protection Service" and + its associated process (`MsSense.exe`). + + This service is part of **Windows Defender Advanced Threat Protection (ATP)** component [1] [2]. + This component was later renamed to **Microsoft Defender for Endpoint** [3]. + This service provides crucial functionality for Microsoft Defender for Endpoint [4] [5]. + + It monitors and reports security events, helping assess threats [1] [2]. + Disabling this service enhances privacy by minimizing the collection of potentially personal and sensitive data. + This action may also improve system performance by stopping unnecessary processes. + However, it may reduce security, as it diminishes the system's ability to detect and manage threats. + + The service operates through the `MsSense.exe` executable [1] [2]. + This file is located in: + - `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on newer systems [1] [2] [4] + - `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` on older systems [3]. + + > **Caution:** + > This may impair your system's ability to monitor and report on security threats effectively. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (β‰₯ 22H2) | πŸ”΄ Stopped | Manual | + | Windows 11 (β‰₯ 23H2) | πŸ”΄ Stopped | Manual | + + [1]: https://web.archive.org/web/20240609160216/https://batcmd.com/windows/10/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 10 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + [3]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [4]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): ❌ `DisableService` | βœ… `DisableServiceInRegistry` | βœ… `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | βœ… `DisableServiceInRegistry` | βœ… `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | βœ… `DisableServiceInRegistry` | βœ… `DisableServiceInRegistryAsTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsSense.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + name: Disable SENSE feature + docs: |- # refactor-with-variables: Same β€’ Defender For Endpoint Caution + This script disables the SENSE feature. + + SENSE is a behavioral sensor for Defender [1]. + It was initially part of *Microsoft Defender Advanced Threat Protection (ATP)* [1]. + IT is now a feature of **Microsoft Defender for Endpoint** after the product was renamed [2]. + + SENSE collects data to support security operations [1]. + This user behavior monitoring poses privacy concerns. + + Disabling SENSE enhances privacy by reducing data collection. + It may also improve system performance by eliminating unnecessary processes. + However, turning off this feature may compromise your system's security by weakening its ability + to detect and manage threats. + + The script modifies the registry key `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!SenseEnabled` + to disable the SENSE feature. While not officially documented, this key affects various Defender components, + including threat assessment [3], SmartScreen [4], the Sense service [5], and the Defender process [6]. + + > **Caution:** + > This may impair your system's ability to monitor and report on security threats effectively. + + [1]: https://web.archive.org/web/20180302010434/https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection "Review events and errors on endpoints with Event Viewer | Microsoft Docs | web.archive.org" + [2]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [3]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/ThreatAssessment.dll.strings#L12405 "10_0_22621_1028/C/Windows/System32/ThreatAssessment.dll.strings at 3e002a687dbcd05bebe48401714021cf670c5bd8 Β· privacysexy-forks/10_0_22621_1028 Β· GitHub | github.com" + [4]: https://github.com/privacysexy-forks/10_0_22621_891/blob/fde7af7776698377aceb48a54bcf7bedaadd5c2d/C/Windows/System32/smartscreen.dll.strings#L14704 "10_0_22621_891/C/Windows/System32/smartscreen.dll.strings at fde7af7776698377aceb48a54bcf7bedaadd5c2d Β· privacysexy-forks/10_0_22621_891 Β· GitHub | github.com" + [5]: https://github.com/privacysexy-forks/10_0_17763_1/blob/6151931b169f55ce8b8581c39bb508a661e4085b/C/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.17763.1_none_98eaa6f2e75e3772/MsSense.exe.strings#L9704 "10_0_17763_1/C/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.17763.1_none_98eaa6f2e75e3772/MsSense.exe.strings at 6151931b169f55ce8b8581c39bb508a661e4085b Β· privacysexy-forks/10_0_17763_1 Β· GitHub | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MsMpEng.exe.strings#L522 "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MsMpEng.exe.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d Β· privacysexy-forks/10_0_22000_1165 Β· GitHub | github.com" + call: + function: RunInlineCodeAsTrustedInstaller + # ❌ Fails with "ERROR: Access is denied." in Windows 11 Pro (β‰₯ 23H2) and Windows 10 Pro (β‰₯ 22H2) + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "SenseEnabled" /t REG_DWORD /d "1" /f + revertCode: >- # Missing by default since Windows 10 Pro (β‰₯ 22H2) and Windows 11 Pro (β‰₯ 23H2) + reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "SenseEnabled" /f 2>nul + - + name: Disable "Microsoft Defender for Endpoint communication module" process + docs: |- + This script disables the `SenseCnCProxy.exe` process. + This process is part of **Defender for Endpoint** [1] [2]. + + `SenseCnCProxy.exe` is the **Microsoft Defender for Endpoint communication module** [1]. + It is also known as **Windows Defender Advanced Threat Protection Communications module** [3]. + It communicates with cloud services [4] [5], handles task scheduling [4], and transmits telemetry data [5]. + + Disabling this process enhances privacy by stopping system data from being shared with Microsoft's cloud services. + It may also boost performance by reducing background processes and network activity. + + However, disabling this component may limit **Defender for Endpoint**'s ability to detect and respond to security threats. + + > **Caution:** + > Disabling this process may reduce the effectiveness of **Defender for Endpoint**, + > potentially lowering your system's protection against advanced threats. + + ### Technical Details + + The script disables the process by: + + - Terminating the process + - Blocking future executions + - Renaming the executable file + + On Windows 10 or Windows Server 2012 and above, the file is located at + `%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseCnCProxy.exe` [1] [2] [3]. + On older systems, this file may be located in + `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\\SenseCnCProxy.exe` [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240930155003/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-troubleshooting "Troubleshooting issues when moving to Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240930154945/https://strontic.github.io/xcyclopedia/library/SenseCncProxy.exe-35FC0F5126BC4F6DB7D36B270F481FDC.html "SenseCncProxy.exe | Windows Defender Advanced Threat Protection Communications module | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240930155823/https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.22621.1_none_09ba88c182f2fbb5/SenseCncProxy.exe.strings "10_0_22622_601/C/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.22621.1_none_09ba88c182f2fbb5/SenseCncProxy.exe.strings at c598035e1a6627384d646140fe9e4d234b36b11d Β· WinDLLsExports/10_0_22622_601 | github.com" + [5]: https://web.archive.org/web/20240930155120/https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18 "How To Hack Like A LEGEND - PDFCOFFEE.COM | pdfcoffee.com" + [6]: https://web.archive.org/web/20240930155120/https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18 "Silencing Microsoft Defender for Endpoint using firewall rules | by SΓΈren FritzbΓΈger | CSIS TechBlog | Medium | medium.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseCnCProxy.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseCnCProxy.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender for Endpoint Sense IR (Incident Response) module" process + docs: |- # TODO: Revise docs + This script disables `SenseIR.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense IR (Incident Response) module [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + TODO: https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18 + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseIR.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseIR.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender for Endpoint Sense CE (Classification Engine) module" process + docs: |- # TODO: Revise docs + This script disables `SenseCE.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense CE (Classification Engine) module [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification` on Windows 10 + or Windows Server 2019 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseCE.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender for Endpoint Sample Upload module" process + docs: |- # TODO: Revise docs + This script disables `SenseSampleUploader.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sample Upload module [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseSampleUploader.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender for Endpoint Sense NDR (Network Detection and Response) module" process + docs: |- # TODO: Revise docs + This script disables `SenseNdr.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense NDR (Network Detection and Response) module [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2019 and above [1] [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseNdr.exe + - + name: Disable "Microsoft Defender for Endpoint Sense SC (Screenshot Capture) module" process + docs: |- # TODO: Revise docs + This script disables `SenseSC.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense SC (Screenshot Capture) module [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2019 and above [1] [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseSC.exe + - + name: Disable "Microsoft Defender for Endpoint Sense CM (Configuration Management)" process + docs: |- # TODO: Revise docs + This script disables `SenseCM.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense CM (Configuration Management) [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseCM.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseCM.exe + - + name: Disable "Microsoft Defender for Endpoint Sense TVM (Threat Vulnerability Management)" process + docs: |- # TODO: Revise docs + This script disables `SenseTVM.exe` process. + + This process provides functionality to Microsoft Defender for Endpoint Sense TVM (Threat Vulnerability Management) [1]. + + This script enhances privacy by... + It may also improve system performance by... + However, it may reduce security by... + + > **Caution:** + > TODO: Explain side-effects to non tech savvy in simple/clear/conces and only one sentence + + It's found at `%PROGRAMFILES%\Windows Defender Advanced Threat Protection` on Windows 10 + or Windows Server 2012 and above [1] [2]. + It's found at `%PROGRAMDATA%\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe` on older systems [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseTVM.exe' + grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SenseTVM.exe + - + name: Disable SenseAP.exe + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseAP.exe' + - + name: Disable SenseAPToast.exe + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseAPToast.exe' + - + name: Disable SenseGPParser.exe + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseGPParser.exe' + - + name: Disable SenseIdentity.exe + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseIdentity.exe' + - + name: Disable SenseImdsCollector.exe + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseImdsCollector.exe' + - + name: Disable aadrt.dll + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\aadrt.dll' + - + name: Disable MsSense.dll + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.dll' + - + name: Disable RunPsScript.dll + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\RunPsScript.dll' + - + name: Disable SenseMirror.dll + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\SenseMirror.dll' + - + name: Disable SenseMirror.dll + docs: 'TODO: Missing' + code: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\WATPCSP.dll' + - + category: Disable Defender for Endpoint connectivity checks + docs: |- # refactor-with-variables: Same β€’ Defender Connectivity Checks Caution + This category includes scripts to disable tools that perform connectivity tests required for Defender for Endpoint to function properly. + + Defender requires communication with specific URLs [1] and processes [2]. + These tools verify this communication [3]. + + Disabling these tools reduces the amount of data sent to Microsoft, thus enhancing your privacy by limiting external access to your information. + However, this action may compromise the security functionality of Defender for Endpoint. + + > **Caution:** Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240706095956/https://learn.microsoft.com/en-us/defender-endpoint/configure-environment "Configure your network environment to ensure connectivity with Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable "Microsoft Defender for Endpoint Client Analyzer" process + docs: |- # refactor-with-variables: Same β€’ Defender Connectivity Checks Caution + This script disables `MDEClientAnalyzer.exe` process. + + This process verifies connectivity to Microsoft's cloud services [1]. + The tool tests connections to specific cloud service URLs, crucial for the proper function of Microsoft Defender for Endpoint [1]. + It is designed for modern Windows operating systems [1]. + + Disabling this process improves privacy by preventing data from being sent to Microsoft and potentially inspected. + However, this reduces Defender for Endpoint's security effectiveness and may cause connectivity issues with Microsoft services. + + > **Caution:** Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MDEClientAnalyzer.exe + - + name: Disable outdated "Microsoft Defender for Endpoint Client Analyzer (Previous Version)" process + docs: |- # refactor-with-variables: Same β€’ Defender Connectivity Checks Caution + This script disables the `MDEClientAnalyzerPreviousVersion.exe` process. + + This tool performs connectivity tests on older versions of Windows and editions using the outdated Microsoft Monitoring Agent (MMA) [1]. + + The process tests connectivity for Command and Control (CnC) URLs [1], crucial for the functionality of Defender for Endpoint. + + Disabling this tool enhances privacy by limiting data transmission to Microsoft, but it may decrease the security + functionality of Defender for Endpoint. + + > **Caution:** Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MDEClientAnalyzerPreviousVersion.exe + - + category: Disable outdated Microsoft Monitoring Agent (MMA) specific processes + docs: |- # TODO: Research done, revision needed + The old agent for Defender for Endpoint depends on Microsoft Monitoring Agent (MMA) [1]. + Microsoft Monitoring Agent (MMA) is a legacy component retired in August 2024 [1]. + + Before April of 2022, Defender for Endpoint required to use required the use of Microsoft + Monitoring Agent (MMA) [2]. + The new unified solution package makes it easier to onboard servers by removing dependencies and + installation steps [2]. It also provides a much expanded feature set [2]. + + Scripts in this category impairs the usage of Microsoft Monitoring Agent (MMA) for + other purposes such as Log Analytics [1]. + + Old systems such as Windows 7 SP1, Windows 8.1, or Windows Server 2008 R2 remain dependent + on MMA [1]. + + They ma improves privacy by.. + They can also improve systtem performance by.. + However they may reduce your security by.. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240707095718/https://learn.microsoft.com/en-us/defender-endpoint/update-agent-mma-windows "Update your agent on devices for Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707095722/https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints "Onboard Windows servers to the Microsoft Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable outdated "Microsoft Monitoring Agent Service Host Process" process + docs: |- # refactor-with-variables: Same β€’ MMA Caution # TODO: Research done, revision needed + This script disables `MonitoringHost.exe` process. + + This process is known as Microsoft Monitoring Agent Service Host Process [1]. + It's also known as *Health Service Host Process* [6] or + *System Center Management Service Host Process* [6]. + + Disabling this process improves your performance as it's associated with high CPU usage [3] [5] and memory usage [4]. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\MonitoringHost.exe` [1] [2]. + This process is only found on outdated Microsoft Monitoring Agent deployments [2]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [2]. + This agent is used by Microsoft Defender for Endpoint [2]. + + This component is associated with Microsoft Defender for Endpoint [1] [2]. + + In System Center Operations Manager, management servers, gateway servers, and agents all execute a process called + MonitoringHost.exe [6]. + MonitoringHost.exe is used to accomplish monitoring activities such as executing a monitor or running a task [6]. + The other examples of the actions MonitoringHost.exe performs include [6]: + - Monitoring and collecting Windows event log data [6] + - Monitoring and collecting Windows performance counter data [6] + - Monitoring and collecting Windows Management Instrumentation (WMI) data [6] + - Running actions such as scripts or batches [6] + + This script improves privac by.. + It can also improve systtem performance by.. + However it may reduce your security by.. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + TODO: https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18 + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707095408/https://support.microsoft.com/en-us/topic/the-monitoringhost-exe-process-may-consume-all-the-cpu-resources-when-a-large-amount-of-performance-data-is-created-by-using-a-managed-data-source-module-in-system-center-operations-manager-2007-02b514c3-9c69-a2ab-d03c-63f4d177c4a3 "The Monitoringhost.exe process may consume all the CPU resources when a large amount of performance data is created by using a managed data source module in System Center Operations Manager 2007 - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240707095403/https://support.microsoft.com/en-us/topic/the-monitoringhost-exe-process-on-the-system-center-operations-manager-2007-root-management-server-may-consume-more-than-2-gigabytes-of-memory-8ba36640-3d98-b636-463f-915985b8d45e "The MonitoringHost.exe process on the System Center Operations Manager 2007 root management server may consume more than 2 gigabytes of memory - Microsoft Support | support.microsoft.com" + [5]: https://web.archive.org/web/20240707095358/https://support.microsoft.com/en-us/topic/operations-manager-agents-consume-100-percent-of-cpu-resources-for-the-monitoringhost-exe-process-a0523d63-aead-a4cf-0a29-387b7147ed49 "Operations Manager agents consume 100 percent of CPU resources for the Monitoringhost.exe process - Microsoft Support | support.microsoft.com" + [6]: https://web.archive.org/web/20240707095353/https://www.file.net/process/monitoringhost.exe.html "MonitoringHost.exe Windows process - What is it? | file.net" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MonitoringHost.exe + - + name: Disable outdated "Health Service" process + docs: |- # refactor-with-variables: Same β€’ MMA Caution # TODO: Research done, revision needed + This script disables `HealthService.exe` process. + + This process is ismply known as "Health Service" [4]. + This process provides functionality to Microsoft Monitoring Agent Service [1]. + + It runs timed scripts [4]. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\HealthService.exe` [1] [3]. + This process is only found on outdated Microsoft Monitoring Agent deployments [3]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [3]. + This agent is used by Microsoft Defender for Endpoint [3]. + + This component is associated with Microsoft Defender for Endpoint [1] [3]. + + HealthService.exe runs as a background process and monitors certain performance functions of your PC [5]. + + Disabling this service will disable prevent Heartbeat messages from being sent to Azure [2], + causing the computer to be listed as "unresponsive agent" in Azure Portal [2]. + + Preventing these messages from being sent improves your privacy. + It improves your system performance this process is associated with high memory usage [4] and CPU usage [5]. + However it may decrease your security by.. + + TODO: https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18 + + > **Caution:** + > -This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240707094531/https://learn.microsoft.com/en-us/services-hub/unified/health/assessments-troubleshooting "Troubleshooting the On-Demand Assessments (MMA) | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240707095334/https://support.microsoft.com/en-us/topic/when-the-health-service-healthservice-exe-runs-timed-scripts-in-system-center-operations-manager-2007-high-memory-usage-may-occur-ed41d3c6-8090-073e-be49-4d4f643c27d1 "When the Health Service (HealthService.exe) runs timed scripts in System Center Operations Manager 2007, high memory usage may occur - Microsoft Support | support.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: HealthService.exe + - + name: Disable outdated "Microsoft Monitoring Agent Cloud Connection Test utility" process + docs: |- # refactor-with-variables: Same β€’ Defender Connectivity Checks Caution β€’ MMA Caution # TODO: Research done, revision needed + This script disables `TestCloudConnection.exe` process. + + It's known as Microsoft Monitoring Agent connectivity tool [4]. + This process provides functionality to Microsoft Monitoring Agent Cloud Connection Test utility [1]. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent` [1]. + + This component is associated with Microsoft Defender for Endpoint [1] [4] [6]. + + This utility to used to verify that the computers can succesfully connect to Microsoft Monitoring Agent [2]. + + This utility is used to onboard "Microsoft Defender for Cloud" [3] [5]. + Disabling it impairs onboarding to "Microsoft Defender for Cloud". + + This process is outdated since April 2022, as Microsoft deprecates Microsoft Monitoring Agent (MMA) over + a *modern unified solution* as they call it [4]. + This process is only found on outdated Microsoft Monitoring Agent deployments [6]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [6]. + This agent is used by Microsoft Defender for Endpoint [6]]. + + It is used for testing connectivity to Cyber Data channel URLs [4]. + These URLs are specific web addresses that Microsoft Defender for Endpoint uses to transmit security data. + + Its executable is typically found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` [6]. + + This script improves privac by.. + It can also improve systtem performance by.. + However it may reduce your security by.. + + > **Caution:** + > - This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + > - Disabling connectivity checks may lead to connectivity issues with Microsoft servers and reduce your system's security. + + [1]: https://web.archive.org/web/20240609102213/https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx "Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) | download.microsoft.com" + [2]: https://web.archive.org/web/20240707094531/https://learn.microsoft.com/en-us/services-hub/unified/health/assessments-troubleshooting "Troubleshooting the On-Demand Assessments (MMA) | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707094548/https://learn.microsoft.com/en-us/defender-endpoint/verify-connectivity "Verify client connectivity to Microsoft Defender for Endpoint service URLs - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240706100039/https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-windows "Run the client analyzer on Windows - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240707094522/https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components "Overview of the extensions that collect data from your workloads - Microsoft Defender for Cloud | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: TestCloudConnection.exe + - + name: Disable outdated "Performance Snapshot Helper" process + docs: |- # refactor-with-variables: Same β€’ MMA Caution # TODO: Research done, revision needed + This script disables `MOMPerfSnapshotHelper.exe` process. + + It's found at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe` [1] [2]. + This process is Used to create list of performance counters available on this computer [2]. + It collects to collect performance counter information [3]. + + Disabling this process prevents data collection that improves your privcacy. + Disabling this process may increase your system performance as this process is historically associated with + high CPU usage [3]. + However, this action may reduce your security. + + This process is only found on outdated Microsoft Monitoring Agent deployments [1]. + It applies to Windows 8.1, Windows 7 and Windows Server 2008 R2 SP1 [1]. + This agent is used by Microsoft Defender for Endpoint [1]. + + This component is associated with Microsoft Defender for Endpoint [1]. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707094412/https://www.herdprotect.com/momperfsnapshothelper.exe-6e485e17e7e3b92d2eb4baa1590ed30c325f60b8.aspx "Malware scan of MOMPerfSnapshotHelper.exe (Microsoft Monitoring Agent) 6e485e17e7e3b92d2eb4baa1590ed30c325f60b8 - herdProtect | www.herdprotect.com" + [3]: https://web.archive.org/web/20240707094404/https://support.microsoft.com/en-us/topic/the-momperfsnapshothelper-exe-process-crashes-or-experiences-high-cpu-usage-in-windows-server-2008-sp2-7e875ee5-b4a2-2441-997b-1eb1db1f26d2 "The MOMPerfSnapshotHelper.exe process crashes or experiences high CPU usage in Windows Server 2008 SP2 - Microsoft Support | support.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MOMPerfSnapshotHelper.exe + - + name: Disable outdated "The Health Service Lockdown Tool" process + docs: |- # refactor-with-variables: Same β€’ MMA Caution + This script disables the `HSLockdown.exe` process. + + This process is located at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\HSLockdown.exe` [1] [2]. + This executable is known as *The Health Service Lockdown Tool* [2] [3] [4]. + It is used in outdated Microsoft Monitoring Agent deployments applicable to + Windows 8.1, Windows 7, and Windows Server 2008 R2 SP1 [1]. + + The Health Service Lockdown Tool uses command-line options to control and restrict which identities + can execute rules, tasks, or monitors [2]. + It can list accounts/groups, add or remove allowed or denied accounts/groups [2]. + It manages permissions by allowing or denying access to server components [2], including blocking + powerful accounts like `NT AUTHORITY\SYSTEM` [3]. + + While used with Microsoft Defender for Endpoint [1], disabling this tool also restricts the broader capabilities + of the Microsoft Monitoring Agent [1], potentially affecting other security operations. + + This script may also impair the discoverability of machines running the *Host Guardian Service* [4]. + This service verifies the security of a Hyper-V host before it runs protected virtual machines [5]. + + This script enhances privacy by removing a potential vulnerability in permission modifications, reducing + the risk of exposing sensitive server information. + It also limits the functionality of Microsoft Defender for Endpoint and Microsoft Monitoring Agent [1], + which are known to collect and transmit data [6]. + Disabling this process may enhance system performance by reducing resource use. + However, it can also reduce security by removing these protective measures. + + > **Caution:** + > - This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + > - This impairs permission management within the Microsoft Monitoring Agent. + + [1]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707094307/https://learn.microsoft.com/en-us/system-center/scom/manage-security-overview-hslockdown?view=sc-om-2022 "Control Access by Using the Health Service Lockdown Tool in Operations Manager | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707094301/https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/health-service-not-process-configuration-files "Health Service doesn't process configuration files - Operations Manager | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240707094246/https://download.microsoft.com/download/6/D/E/6DE8A2F5-4738-4AE4-BFD6-EC85FEF9677D/MPGuide_GuardedFabric.docx "Guide for System Center Management Pack for Microsoft Windows Guarded Fabric 2016 and above | Microsoft System Center | download.microsoft.com" + [5]: https://web.archive.org/web/20240707091846/https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms "Guarded Fabric and Shielded VMs overview | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240708203922/https://learn.microsoft.com/en-us/defender-endpoint/data-storage-privacy "Microsoft Defender for Endpoint data storage and privacy - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: HSLockdown.exe + - + name: Disable outdated "Microsoft Monitoring Agent in Control Panel" process + docs: |- # refactor-with-variables: Same β€’ MMA Caution + This script disables the `AgentControlPanel.exe` process. + + The process is located at `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe` [1]. + This process is part of the *Microsoft Monitoring Agent* interface [2] [3]. + This interface is also known as the *Microsoft Monitoring Agent Properties dialog box* [3]. + Microsoft Defender for Endpoint utilizes this agent [1]. + It appears in Control Panel [2] [3]. + Disabling it may limit the agent's capabilities and impair access to its settings via the Control Panel. + + The script targets only outdated Microsoft Monitoring Agent deployments on older operating systems + (Windows 8.1, Windows 7, and Windows Server 2008 R2 SP1) [1]. + + This script enhances user privacy by reducing the amount of data shared with Microsoft. + It also improves system performance by minimizing background activity on outdated systems. + However, it may also reduce security, as this process is integral to Microsoft Defender for Endpoint. + Disabling it could impair these crucial security functions. + + > **Caution:** + > - This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + > - This script impairs accessing Microsoft Monitoring Agent in Control Panel (Microsoft Monitoring Agent Properties dialog box). + + [1]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240707091724/https://blog.tyang.org/2017/01/17/command-launching-microsoft-monitoring-agent-control-panel-applet/ "Command Launching Microsoft Monitoring Agent Control Panel Applet - Managing Cloud and Datacenter by Tao Yang | blog.tyang.org" + [3]: https://web.archive.org/web/20240707091715/https://learn.microsoft.com/en-us/troubleshoot/azure/azure-monitor/log-analytics/windows-agents/erased-proxy-settings-microsoft-monitoring-agent "Fix erased proxy settings in the Microsoft Monitoring Agent - Azure | Microsoft Learn | learn.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: AgentControlPanel.exe + - + name: Disable outdated "Microsoft Sensor" process + docs: |- # refactor-with-variables: Same β€’ MMA Caution + This script disables the `MsSenseS.exe` process. + + The `MsSenseS.exe` process is known as the "sensor process" [1]. + It collects and sends sensor data to Microsoft [1]. + + This process is outdated and is only used by older versions of the Microsoft Monitoring Agent and Microsoft Defender for Endpoint [2]. + This process is found in environments running Windows 8.1, Windows 7, and Windows Server 2008 R2 SP1 [2]. + + It is typically located at + `%PROGRAMFILES%\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`, + but the exact subfolder numbers may vary [2]. + + Disabling this process helps protect your privacy by limiting the data collected and processed by external parties. + Additionally, it can improve system performance by alleviating high CPU usage commonly associated with this process [3]. + However, this may limit some functions of the Microsoft Monitoring Agent and Microsoft Defender for Endpoint. + + > **Caution:** + > This may limit the Microsoft Monitoring Agent's capabilities beyond just affecting Microsoft Defender for Endpoint. + + [1]: https://web.archive.org/web/20240707085447/https://learn.microsoft.com/en-us/defender-endpoint/onboard-downlevel "Onboard previous versions of Windows on Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240706100031/https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2 "Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240707085441/https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mssenses-exe-high-cpu-usage/m-p/2761276 "MsSenseS.exe high CPU usage - Microsoft Community Hub | techcommunity.microsoft.com" + call: + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: MsSenseS.exe - category: Disable automatic updates docs: |-