cancel
Showing results for 
Search instead for 
Did you mean: 

To neutralise Windows Defender in favour of McAfee LiveSafe.

Aim:
To neutralise Windows Defender in favour of McAfee LiveSafe.
Both are running and using their default settings.
My Operating System : OEM clean-install of Windows 10 Pro v1803, Build 17134.48


To see the currrent state of security, choose ...
Settings > Update & Security > Windows Security
This screen shows you all the components of Windows Defender,
collectively named as Windows Security by the OS.

You can also check the status of the Windows Defender Services via
Computer Management ...
⦁ WD Advanced Threat Protection Service
⦁ WD Antivirus Network Inspection Service
⦁ WD Antivirus Service
⦁ WD Firewall
⦁ WD Security Centre Service

The last two WD services above, Firewall and SCS have a Startup Type of 'Automatic' and
not unsurprisingly, have a Status of 'Running'. For completeness, the first three services
have a Startup Type of 'Manual' and are currently stopped.

Run the Local Group Policy Editor, to become familiar with the layout of the
Windows Defender components.

The Local Group Policy Editor exists as a separate download for Windows Home users.
gpedit.msc

Navigate to ...
Computer Configuration > Administrative Templates > Windows Components >
and notice the five entries beginning with "Windows Defender".

I've abbreviated and identified these components in red, for example ...
WD Antivirus indicates the following.

Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus

On first reading, go to the end of this page and read from,
Assessing the Group Policy edits for Windows Defender

Order in which the GP edits were carried out ... ===================================

WD SmartScreen :
⦁ Explorer :            Configure Windows Defender SmartScreen : Disabled
⦁ Microsoft Edge : Configure Windows Defender SmartScreen : Disabled

WD Antivirus : Turn off Windows Defender Antivirus : ENABLED

WD Security Centre :
⦁ Account protection :                                                Hide the Account protection area : ENABLED
⦁ App and browser protection :                 Hide the App and browser protection area : ENABLED
⦁ Device performance and health :      Hide the Device performance and health area : ENABLED
⦁ Device security :                                                               Hide the Device security area : ENABLED
⦁ Family options :                                                                 Hide the Family options area : ENABLED
⦁ Firewall and network protection :      Hide the Firewall and network protection area : ENABLED
⦁ Virus and threat protection :                      Hide the Virus and threat protection area : ENABLED


WD Security Centre :
⦁ Notifications :                       Hide all notifications : ENABLED

One, perhaps mute point, is that while editing the Local GPO,
I never ever clicked the Apply button, just the OK button.
=============================================================================

Next :
Disabled the 'Windows Defender Firewall' via Services in Computer Management.
Restarted to see the effects.

 

To check your protection while browsing - [ I used Internet Explorer and Edge ], go to ...
https://home.mcafee.com/root/landingpage.aspx?lpname=how-it-works&affid=0&cid=170790

Also have a look at Settings > Update & Security > Windows Security
where you'll see the words "Protection areas". This is displayed when there aren't any
entries to be found under WD Security Centre.


Clicking on the "Open Windows Defender Security Centre" button will display,
"Cannot open this App".

You can also get a LiveSafe-Security summary using System & Maintenance in Control Panel.

Clicking on Windows Firewall in Control Panel will now display ...
"Update your Firewall settings" with a "Use recommended setting" button.
This is what you'd expect to see, after all, the Windows Firewall has just been disabled !


I did not click any of the shortcuts that are displayed on the Firewall panel.
If you're wishing to remove the Windows Firewall Applet/icon from the Control Panel,
keep in mind that you'll also lose access to these shortcuts.

I decided to remove the Windows Firewall Applet from the Control Panel.
gpedit.msc
User Configuration > Administrative Templates > Control Panel
and then open "Hide specified Control Panel items" and press the Show button.
For Value, enter Windows Firewall's canonical name, Microsoft.WindowsFirewall


Now, back to Disabling the Windows Defender Services via
Computer Management ...
⦁ WD Advanced Threat Protection Service               Service Name : Sense
⦁ WD Antivirus Network Inspection Service             Service Name : WDNisSvc
⦁ WD Antivirus Service                                               Service Name : WinDefend


This disabling can be done by using sc.exe with the associated OS Service Names.
If unfamiliar with sc.exe trying
HKLM\SYSTEM\CurrentControlSet\Services\
is one method of finding the Service Names.
OR
You can also disable these services using the Services  tab of Autoruns,  from Sysinternals.

Before you use the Service Manager or Autoruns, it's a fair approach to first open ...
Settings > Apps > Start-up
and set all the apps to On and then ReStart.
This way the Start-up apps existence & condition will be displayed correctly in
Settings > Apps > Start-up - in perfect sync with the settings of Autoruns.

And finally, disable the Windows Defender ExploitGuard Task in Task Scheduler by right-clicking "ExploitGuard MDM policy Refresh" and selecting Disabled.
This task applys changes to the machine's Exploit Protection settings.

The WD Security Centre Service persists - at least as a hook for LiveSafe!

Time for a beer, methinks.
Cheers.

===========================================================================
===========================================================================

 

 

 


====================================================================
Assessing the Group Policy edits for Windows Defender

WD Antivirus
Turn off Windows Defender Antivirus : ENABLED
      > Real-time Protection
         I shouldn't need to alter this, as I'm turning off Windows Defender Antivirus
      > WD Exploit Guard

WD Application Guard

WD Exploit Guard
      > Exploit Protection

WD Security Center
⦁ Account protection
⦁ App and browser protection
⦁ Device performance and health
⦁ Device security
⦁ Family options
⦁ Firewall and network protection
⦁ Virus and threat protection

Enabling the settings above will prevent them from being displayed via ...
Settings > Update & Security > Windows Security

⦁ Enterprise Customization [ No changes to be made. ]
⦁ Notifications [ set to Disabled while currently TroubleShooting ]
   This setting hides notifications from the Windows Defender Security Center.

WD SmartScreen
⦁ Explorer :            Configure Windows Defender SmartScreen : Disabled
⦁ Microsoft Edge : Configure Windows Defender SmartScreen : Disabled

Prior to making any GP edits, Internet Explorer's Options had
'Enable Windows Defender SmartScreen' set to Disabled,
while in Microsoft Edge it was Enabled - so I Disabled it in Edge before doing any GP edits!

====================================================================

 

Just an Aside:
====================== From Microsoft Commnunity Group ==================
In order for Windows Defender Antivirus Service to run, it will require to remain
"Started" and set to "Automatic".
Some 3rd party antivirus (AV) programs may turn off Windows Defender AV, when they
are being installed and will not allow Windows Defender to be turned back on until the
3rd party AV has been uninstalled or disabled.
=====================================================================

 

 

 

 

 

 

 

 

 

 

 

 EOF

1 Reply

Re: To neutralise Windows Defender in favour of McAfee LiveSafe.

Conclusion, plus notes on Secure Boot & Trusted Boot and the TPM

Some people do not like tweaking with the Operating System and understandably so.
If you just wish to accept the default adjustments that McAfee LiveSafe makes to
Windows Defender, why not hide the Firewall icon in the Control Panel and
also hide the Security page in Windows Settings? This is purely cosmetic!

There would be less confusion between settings that would've been made in the
Windows Security settings page and the settings that are made via McAfee.
But, is there a one-to-one correspondence? What happens when things go
belly-up - is it down to Windows Defender or McAfee, which?
What about precedence/priority and duplication of settings? Will this affect? etc.
Personally, that's just too many questions for my liking!

PipeDream :
There's little chance of it occcuring but If only documention existed that exposed the granular
interoperability between Windows Defender and McAfee LiveSafe.


Hiding the Firewall icon in Control Panel and
the Security page in Windows Settings ...


Removing the Windows Firewall Applet from the Control Panel ...
gpedit.msc
User Configuration > Administrative Templates > Control Panel
and then open "Hide specified Control Panel items" and press the Show button.
For Value, enter Windows Firewall's canonical name, Microsoft.WindowsFirewall

and

excluding the Security page from being viewed in Windows Settings ...
gpedit.msc
Computer Configuration > Administrative Templates > Control Panel>
Open the 'Settings Page Visibility' and enter the following text ...
hide:windowsdefender

McAfee LiveSafe is still controlling your firewall and security, anti-virus etc.,
in favour of Windows Defender but now there's less confusion - visually!

Whether or not you choose to accept the default adjustments that McAfee makes to
Windows Defender, I'd still consider disabling WD SmartScreen
for your browsers and to let McAfee LiveSafe's WebAdvisor handle the website screening.

======================================================================
Continuing from my previous post ...
======================================================================
In Autoruns...
Disabled these Winlogon Group Policy Extensions ...
⦁ WD Application Guard Policy Evaluator
⦁ Device Guard Group Policy CSE <-- two entries disabled
Disabled SecurityHealthService & SgmBroker via the Service tab.

and then, as before, to hide the Security page ...
gpedit.msc
Computer Configuration > Administrative Templates > Control Panel>
Open the 'Settings Page Visibility' and enter the following text ...
hide:windowsdefender

I'm setting up a new system right now but towards the end I'll install
Ransomware Interceptor (Pilot) 

WaaS, if not properly controlled, can re-instate UWP Apps that you've uninstalled by using
the Windows Store. It can also restore some of your well-formed adaptations to the OS.
Disk imaging is a must!
I use O&O DiskImage, where selective sections/files of your image can be restored -
not forgetting creating and mounting VHD images et al.
Knowing how to fine-tune Windows Updates and Windows Store are other skills required.
======================================================================
======================================================================


======================================================================
Points I had to consider, notes and source links follow ...
======================================================================
The Windows Features;-
Measured Boot, BitLocker, Windows Hello, & Virtual Smart Card
all associate with the TPM (Trusted Platform Module) in one way or another.
Ed :
Note that the only Feature that I'm interested in, is Measured Boot - none of the others!

Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to
confidently assess the trustworthiness of a client PC across the network.
Ed : IF AND ONLY IF you've got an attestation server & client up-and-running!

With reference to the 'Secure the Windows 10 boot process" article ...

From Figure 2, ("The Measured Boot proves the PC’s health to a remote server"), it is a trivial fact and observation that a Measured Boot is impossible without an attestation server.

and from Figure 1, ("Secure Boot, Trusted Boot, and Measured Boot, block malware at every stage"), we see that if a Measured Boot is not available then the Trusted Boot is open to Rootkit attacks.

Ed :
Being unable to perform a Measured Boot has no bearing on Rootkit attacks during the
Secure Boot process. FACT : Secure Boot can only be toggled by the end-user.


Ed:
The Trusted Computing Group, TCG, who publish and maintain the TPM, were obviously
well aware of the potential controversy over who controls the attestation server and
by-design dedicated this function to third parties and to programmers using the available
APIs.
The penultimate decision to initiate or accept a level of trust with an attestation server
is in the hands of the end-user.

However, in contrast with who controls the attestation server, the Criticism levelled at the
TPM on the Wiki site, is quite a different matter! 

TPM measurements are a snapshot of the recorded-system-state during booting.
Having access to an attestation client will allow the TPM measurements to pass through it,
so that they can be verified by an attestation server.

Extract from Secure-the-windows-10-boot-process document ...

Windows 10 includes the APIs; Application Programming Interfaces, to support
Measured Boot, but you’ll need non-Microsoft tools to implement a
remote attestation client and trusted attestation server to take advantage of it.
For an example of such a tool, download the ...
TPM Platform Crypto-Provider Toolkit, from Microsoft Research
or
Microsoft Enterprise Security MVP Dan Griffin’s Measured Boot Tool.


I'm setting up a new system right now but towards the end I'll install
Ransomware Interceptor (Pilot) 

============================================================================
============================================================================
============================================================================
============================================================================

REFERENCE NOTES          REFERENCE NOTES          REFERENCE NOTES          REFERENCE NOTES

Secure Boot and Trusted Platform Module (TPM)
------------------------------------------------------------------------------------------------------------------
Article dated May 2017 :
"Since July 28, 2016, all new device models, lines or series
(or if you are updating the hardware configuration of a existing model, with a major update,
such as CPU, graphic cards)
must implement and enable by default TPM 2.0 .
The requirement to enable TPM 2.0 only applies to the manufacturing of new devices."
------------------------------------------------------------------------------------------------------------------
Again, but from a different source:
It is mandatory that all OEM System Builders comply with the WHQL specification for
Windows 10, in that all Win10 Client/Mobile x64 systems must implement Secure Boot and
must contain a TPM 2.0, and that the TPM 2.0 must be both available to the system and
enabled in the shipping configuration.

A Trusted Platform Module (TPM) is typically a microchip designed to provide basic
security-related functions, primarily involving encryption keys.
The TPM is usually installed on the motherboard of a computer.
Ed : This is a (discrete chip) ie. physical implemention of TPM, others exist, for example;
Virtualization-Based Security -VBS, CPU-Integration as opposed to discrete chip, and
of course the Windows 10 implementation of TPM.
TPMs are passive: they receive commands and return responses.

OEMs implement the TPM as a component in a trusted computing platform, such as a PC,
tablet, or phone. Trusted computing platforms use the TPM to support privacy and security
scenarios that software alone cannot achieve. For example, software alone cannot
reliably report whether malware is present during the system startup process.
Ed : The "system startup process", being Trusted Boot.

The close integration between TPM and platform increases the transparency of the
startup process and supports evaluating device health by enabling reliable measuring
and reporting of the software that starts the device.
Implementation of a TPM as part of a trusted computing platform provides a
hardware root of trust—that is, it behaves in a trusted way.
For example, if a key stored in a TPM has properties that disallow exporting the key,
that key truly cannot leave the TPM.
-------------------
Windows 10 automatically provisions a TPM, but if the user is planning to reinstall the
operating system, he or she may need to clear the TPM before reinstalling, so that
Windows can take full advantage of the TPM.

Ed :
Be aware that the command tpm.msc is deprecated in Win 10 v1803.
It will only report that the TPM cannot be found on this computer.

Whereas, the PowerShell command ...
PS C:\Windows\system32> get-tpm
told me that a TPM was non-extant and that the OS manages the owner authorisation,
resulting in the inability to be able to reset the TPM using the owner authorisation value!!
This statement was inferred from the following fields in the output of get-tpm.
ManagedAuthLevel : Full
OwnerClearDisabled : True

Even although get-tpm reports a non-extant TPM, the above paragraph resolves to -
Windows 10 is in charge of the TPM - which concurs with the Wiki comment above.
See the Criticism levelled at the TPM on the Wiki site ...
-------------------

Another aspect I considered was Early Launch Anti-Malware, ELAM.
Does it exist on my system?
Apparently, when the ELAM driver is installed, a backup copy of the driver must also be
installed. In the event of a failure to load or to initialise the primary ELAM driver due to a
corruption, Windows Recovery Environment, WinRE, looks in the default location,
[ C:\Windows\ELAMBKUP ] to restore the ELAM driver from the backup copy.

-----------------------------------------------------------------------------------------------------------
Sources :
-----------------------------------------------------------------------------------------------------------
Secure the Windows 10 boot process ...


Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. 


General TPM notes ...


Minimum Hardware requirements for Windows 10 ...


Reference was also made to WHCP-Systems-Specification-1803.pdf

 

 

 

 

 

 

 

 

 

 

 

 


EOF

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community