Windows Defender Disabled or Tampered

MITRE ATT&CK

Security Relevance

Antivirus and EDR tools are the last line of defense before malware executes. Attackers disable them specifically to allow malicious code to run undetected. This technique appears in nearly every ransomware playbook and most APT intrusions. A Defender service stop or tamper-protection bypass followed by silence in the Defender Operational log is a strong signal that an attack is underway. The absence of detections is itself a detection when it follows a known disable event.

Indicators of Malicious Use

• ⚑Event ID 7036: WinDefend service enters stopped state — especially if not followed by a restart within seconds.
• ⚑Event ID 7036: MsMpEng.exe (Defender engine) process termination with no corresponding service restart.
• ⚑Event ID 4657: Registry value modified at HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1 — disables Defender via policy key.
• ⚑Event ID 4657: HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = 1 — disables real-time scanning.
• ⚑Event ID 4688: PowerShell or cmd.exe commands including Set-MpPreference -DisableRealtimeMonitoring $true or sc stop WinDefend.
• ⚑Sudden silence in the Defender Operational log (no 1116/1117 events) on a system that previously had regular scan activity.
• ⚑Tamper Protection disabled: if Tamper Protection is on, attempts to modify Defender via the registry or sc.exe will generate access denied errors — which are themselves logged.

Example Log Entry

Log Name: System
Source:    Service Control Manager
Event ID:  7036
Level:     Information

The Windows Defender Antivirus Service service entered the stopped state.

[No subsequent 7036 "running" event for WinDefend]

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4657
Level:     Information

A registry value was modified.

Object Name:    \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Object Value Name: DisableAntiSpyware
Old Value:      (value not set)
New Value Type: REG_DWORD
New Value:      0x00000001

Subject:
  Account Name:  CORP\j.smith
  Logon ID:      0x4A3F1

Investigation Steps

1. 1.Confirm the service stop is unexpected — check whether a planned Defender update or system maintenance was scheduled at the same time.
2. 2.Check Event ID 4688 (process creation) around the time of the stop — look for sc.exe stop WinDefend, Set-MpPreference commands, or third-party AV installer activity.
3. 3.Check the account that modified the registry (4657 Subject field) — SYSTEM or a known management account is expected; a user account is suspicious.
4. 4.Check whether Tamper Protection was previously enabled — if it was and is now bypassed, the attacker had admin rights and specifically worked to disable it.
5. 5.Review Defender Operational log (Microsoft-Windows-Windows Defender/Operational) for the final detection events before the service stopped — the last 1116/1117 events may show what triggered the disable.
6. 6.Check for subsequent malicious activity: process creation of unusual binaries, new services (7045), scheduled tasks (4698), or lateral movement events after the disable timestamp.
7. 7.Look for Event ID 4624 (logon) events just before the disable — identify what session was active and where it came from.

Common False Positives

• ◎Windows Update — Defender updates occasionally stop and restart the service briefly. This generates 7036 stopped then 7036 running in quick succession, typically within 30 seconds.
• ◎Third-party AV installation — installing another antivirus product will stop and disable Defender. This is expected when Defender is being replaced, but should match a documented change.
• ◎Group Policy / Intune management — enterprise environments sometimes intentionally disable Defender via policy in favour of a third-party endpoint solution. Look for corresponding GPO application events.
• ◎SCCM software deployments — some enterprise software installers temporarily disable AV during installation. These are typically brief and followed by a re-enable.
• ◎Security testing tools — some vulnerability scanners and EDR validation tools test whether Defender can be disabled. Verify against your scheduled testing windows.

Remediation

• ✓Enable Tamper Protection in Windows Security settings — this prevents unauthorized changes to Defender settings even by local admins.
• ✓Re-enable Defender immediately if it was disabled without authorization: Set-MpPreference -DisableRealtimeMonitoring $false or restart the WinDefend service.
• ✓Audit the account that disabled Defender — investigate its recent logon history, processes run, and lateral movement indicators.
• ✓Deploy Defender for Endpoint (MDE) or another EDR solution that sends telemetry to a cloud backend — local disable no longer eliminates your visibility.
• ✓Alert on 7036 for WinDefend entering stopped state in your SIEM — this should page an analyst immediately outside of maintenance windows.
• ✓Restrict who can modify Defender registry keys — apply SACLs to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender and alert on 4657 events.
• ✓Assume compromise and conduct a full investigation if Defender was disabled and no legitimate reason is found — treat any activity after the disable timestamp as potentially malicious.

Related Event IDs

Related Detection Guides