Windows Defender False Positive Detection Despite GPO and Tool-Based Disabling

[shreethaar]

What's the problem?

Bug Description

The FLARE-VM installer script continues to detect Windows Defender as enabled and blocks installation, despite having properly disabled Windows Defender through multiple methods including Group Policy Object (GPO) and third-party removal tools.

Steps Taken to Disable Windows Defender

Method 1: Group Policy Object (GPO)

• Applied GPO settings to disable Windows Defender Real-time Protection
• Followed the recommended GPO configuration from FLARE-VM documentation
• Verified GPO settings are applied and active

Method 2: Windows-Defender-Remover Tool

• Used the automated Windows-Defender-Remover tool from: https://github.com/ionuttbara/windows-defender-remover
• Tool completed successfully without errors
• Verified that Windows Defender services and components were removed/disabled

Current Issue

Despite both methods above, the FLARE-VM installer script (install.ps1) still reports that Windows Defender is enabled and prevents installation from proceeding.

Steps to Reproduce

1. Windows 10 VM (Win10_22H2_English_x64v1)
2. Utilizing virtualbox in Linux host environment
3. VM setup with 90 GB virtual storage and 12GB RAM

Environment

• Virtualization Software: VirtualBox v7.1.12
• VM OS Version: 10.0.19045
• VM Powershell version: 5.1.19041.6157
• VM Chocolatey version: 2.5.0
• VM Boxstarter version: Boxstarter|3.0.3

Additional Information

No response

[Ana06]

@shreethaar how exactly have you disabled Windows Defender? Have you restarted the VM after disabling it and ensure it is still disabled?

I am using the exact same version of Windows 10 (10.0.19045) and used the information in the README to disable Defender and I do not have this issue. Does someone else have this issue?

This is how we checked if Windows Defender is disabled:

$tpEnabled = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -ErrorAction Stop
if ($tpEnabled.TamperProtection -eq 5) {

Does someone have a proposal to improve this check?

@shreethaar

The FLARE-VM installer script continues to detect Windows Defender as enabled and blocks installation

I think it is important to clarify that it does not blocks the installation, as it still allows you to continue. Note also there is -noChecks argument you can provide to the installer to skip all the checks.

[Ana06]

@shreethaar can you please share the output of the following commands to help investigating the issue?

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection"

Get-Service -Name WinDefend -ea 0

Get-CimInstance -Namespace "root\Microsoft\Windows\Defender" -Class MSFT_MpPreference

[Ana06]

From @sara-rn in #707 (comment), error in Windows 10 when trying to access HKLM:\SOFTWARE\Microsoft\Windows Defender\Features with Windows Defender enabled:

Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' because it does not exist.
At C:\Users\flaretest\Desktop\install_cat.ps1:192 char:22
+ ... tpEnabled = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows 

Not sure if this means that if HKLM:\SOFTWARE\Microsoft\Windows Defender\Features does not exist we can conclude that Windows Defender is enabled thought. The current behavior says that it was unable to check if it is enabled and I am not sure if we can say more that that.