Windows Defender¶
Windows Defender (after update 1.293.1336.0) blocks StaffCop module for file monitoring. To check if it was blocked or not, we should check the availability of the file:
C:\Windows\System32\drivers\CaptureFileMonitor64.sys
If this file can’t be found - you should perform the following actions.
Add exclusuions¶
In cmd:
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=252013 ThreatIDDefaultAction_Actions=6
Exclusions added in policies¶
Press “Win+R” and type “gpedit.msc”
When you see the editor of local group policies, switch to “Computer configuration –> Administrative templates –> Windows components –> Windows Defender – > Threats” then open “Specify threats upon which default action should not be taken when detected” setting. Select “Enabled” then click “Show” button. Then create a new entry with name 252013 and value 6.
Disable Windows Defender¶
If the agent version is higher than 5.8.2495, the exclusions are automatically added at the moment of installation. Although, agent downloading may be unavailable, so you should disable Windows Defender or add exclusions as it was recommended before.
Press “Win+R” and type “gpedit.msc”
When you see the editor of local group policies, switch to “Computer configuration –> Administrative templates –> Windows components –> Windows Defender “
Double click the “Turn off Windows Defender” and select “Enabled”.
Disable the following options in a similar way (by selecting “Disabled”): “Allow antimalware service to startup with normal priority” and “Allow antimalware service to remain running always”.
Go to the sub-section “Real-time Protection” and double click the option “Turn off real-time protection” and select “Enabled”.
In addition, disable the option “Scan all downloaded files and attachments” (here you should select “Disabled”).
In “MAPS” sub-section disable all the options except “Send file samples when further analysis is required”.
To do that, open this option, select “Disabled” and then select “Never send” out of the drop-down list.
Note
In case Windows Defender has already updated and removed the agent files, you should first add the exclusions and then reinstall the agent.