> 2) disable protection alongside with A/V and proceed as usual
How would the malware do that? I've looked into this and with Windows 10 1903 onward, Tamper Protection is enabled by default. [1]
I have yet to find a programmatic method to disable Tamper Protection (which is a prerequisite to disable Defender). I've tried regedit (permission denied), GPO, and all other manner of PowerShell thuggery, but I have not succeeded. In the end, I scripted extracting and editing the registry hive offline (outside the VM) to disable Tamper Protection.
Unless the malware has a way to open the Settings app and toggle Tamper Protection in the UI as if they were a user, I can't think of any way they could disable it unless they exploit a known weakness in Defender or a third-party anti-virus program (entirely possible).
Tamper protection is really meant for enterprise. Disabling it is exactly as hard as gaining privilege escalation. It is harder to achieve in AD (of course attackers gain lateral movement opportunities instead, but that's a different story), so Tamper protection makes sense there as an additional "security in depth" layer. At home where the logged in user is likely an admin already (even if "protected" by run as / UAC), tamper protection doesn't really add much apart from breaking existing exploit kits and requiring attackers to invest into new ones.
How would the malware do that? I've looked into this and with Windows 10 1903 onward, Tamper Protection is enabled by default. [1]
I have yet to find a programmatic method to disable Tamper Protection (which is a prerequisite to disable Defender). I've tried regedit (permission denied), GPO, and all other manner of PowerShell thuggery, but I have not succeeded. In the end, I scripted extracting and editing the registry hive offline (outside the VM) to disable Tamper Protection.
Unless the malware has a way to open the Settings app and toggle Tamper Protection in the UI as if they were a user, I can't think of any way they could disable it unless they exploit a known weakness in Defender or a third-party anti-virus program (entirely possible).
[1] https://docs.microsoft.com/en-us/windows/security/threat-pro...