How disable Windows Defender for Windows 11 VM and install Flare VM

NEVER disable Windows Defender on you host! Notes based on this great YT video: https://www.youtube.com/watch?v=jGQvqcIlh_s&t

Part 1 - permanently disabling Windows 11 Defender (for learning purposes)

Do not disable Windows Defender on you host!

This instruction should be performed only on Windows 11 virtual machines in your lab environment.

Step 1. Windows 11 settings:

Settings > Virus and Threat Protection > Manage Settings

→ disable Real-time protection:

→ disable Tamper protection:

Step 2. How to add registry Keys and DWORD 32 values:

Open Registry Editor in your Windows 11 and proceed to next steps.

💡To add new DWORD 32 in KEY (eg. Windows Defender - this is KEY) right-click on mouse button on empty space inside and choose NEW > DWORD(32-bit) Value. This step must be repeated each time you add new registry entry (DWORD 32) into KEY

💡To add KEY to Registry right-click mouse button on chosen KEY and click New > Key:

💡How add value to new DWORD entry → double-click on new entry and set hexadecimal value from 0 to 1:

Step 3. Go to Windows Defender Key and add several new DWORD 32 entries - each with value 1:

Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender

• DisableAntiSpyware — REG_DWORD — 1

• DisableAntiVirus — REG_DWORD — 1

• DisableRealTimeMonitoring — REG_DWORD — 1

• DisableRoutinelyTakingAction — REG_DWORD — 1

• DisableSpecialRunningModes — REG_DWORD — 1

• ServiceKeepAlive — REG_DWORD — 1

Step 4. Add new KEY Real-Time Protection in “Windows Defender” and add new DWORD 32 entries:

Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection

• DisableBehaviourMonitoring — REG_DWORD — 1

• DisableOnAccessProtection — REG_DWORD — 1

• DisableRealtimeMonitoring — REG_DWORD — 1

• DisableScanOnRealtimeEnable — REG_DWORD — 1

• DisableScriptScanning — REG_DWORD — 0

Step 5. Add new KEY Signature Update in “Windows Defender” and add new DWORD 32 entry:

Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Update

• ForceUpdateFromMU — REG_DWORD — 1

Step 6. Add new KEY Spynet in “Windows Defender” and add new DWORD 32 entry:

Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet

• DisableBlockAtFirstSeen — REG_DWORD — 1

Part 2. Installation Flare VM (optional)

Step 1. Open “Edit Group Policy” and turn off Defender

Open “Edit Group Policy” and go to:

Computer Configuration > Administrative Templates > System > Windows Components > Microsoft Defender Antivirus

Find “Turn off Microsoft Defender Antivirus” → double-click or click right mouse button and edit:

Click “Enabled” > Apply > OK:

Restart Windows.

Step 2. Powershell

1. Open Powershell as Administrator

2. Download the installation script installer.ps1 to your Desktop:

   (New-Object net.webclient).DownloadFile('<https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1>',"$([Environment]::GetFolderPath("Desktop"))\\install.ps1")

3. Unblock the installation script: Unblock-File .\install.ps1

4. Enable script execution: Set-ExecutionPolicy Unrestricted -Force If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via: Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute: Get-ExecutionPolicy -List

5. Finally, execute the installer script as follow: .\install.ps1

To pass your password for Windows (speed up rebooting) as an argument: .\install.ps1 -password <password>

💡 Warning - installation may take a few hours and Windows will reboot several times during installation process.