Set-MpPreference and Add-MpPreference commands are blocked by AMSI

[Alcinzal]

I have seen users say that both of these commands are blocked by AMSI, even if Windows Defender is disabled. This is the error displayed:

This script contains malicious content and has been blocked by your antivirus software.

Through my own testing, I can confirm that these commands do indeed get blocked. However, disabling Windows Defender allows them to execute successfully.

But exclusions can still be added through policies in registry. Here is an example command of adding "C:\ProgramData" to path exclusions:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /reg:64 & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /d 0 /f /reg:64

First it makes sure that the required path exists, and then adds the exclusion key to that path. When viewed in Windows Defender, you’ll notice that the remove button is disabled:

The /d 0 part ensures that the button is disabled. The value can be anything, as long as it is set. However if you remove that part of the command, the button will be enabled, however it will have no effect. It is not possible to remove the exclusion directly from Windows Defender, it has to be done from registry.

Are there any downsides to this I have overlooked?

[error0x1337]

Yes, adding exclusions through the registry is detected in most cases; however, the user cannot directly remove it from the GUI.

[Alcinzal]

Yes, adding exclusions through the registry is detected in most cases; however, the user cannot directly remove it from the GUI.

In my experience, Windows Defender do not detect it. The other commands get blocked by WD, so the only way is to write to registry.

[error0x1337]

@Alcinzal Do you use Rootkit?

[Alcinzal]

@Alcinzal Do you use Rootkit?

I don't use Rootkit no, how so?