I disabled real-time monitoring of Windows Defender, but a PowerShell script is still blocked
I disabled real-time monitoring of Windows Defender by running the command in PowerShell as admin:
Set-MpPreference -DisableRealtimeMonitoring $trueBut still can't execute script Get-TSLsaSecret. When I try to run it I get:
At line:1 char:1
+ function Get-TSLsaSecret {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContentEDIT1:
I was able to run the script after switching Windows Defender real time protection off manually in Windows Settings. But its not clear why the command does not work.
01 Answer
Windows Defender dislikes Get-TSLsaSecret because this script accesses the
most secret part of Windows.
The LSA secrets are stored asLSA Private Datain the registry under keyHKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets.
For example, all information for accessing system services, including passwords,
are kept as plain-text under the subkeys named _SC_<ServiceName>.
User account information is also kept here.
The data can be hacked.
See for a forensic treatment the article of
Use PowerShell to Decrypt LSA Secrets from the Registry.
Not surprisingly, access to this key is rigidly controlled and is impossible to access even for administrators. Windows Defender will guard against any such attempt, and when scanning the disk will even delete scripts that hack the LSA.
Conclusion: In order to use this script you will basically need to deactivate Windows Defender. If you ever re-activate it, you may find that your script was quarantined and will need to be allowed and restored.
5
