From 0148385fb58e4633b2a4aa578d072f8b723961b7 Mon Sep 17 00:00:00 2001 From: devanladdu Date: Thu, 4 Jun 2026 14:37:13 -0400 Subject: [PATCH 1/3] Add PowerShell Disable-Defender docs Add a new docs page (docs/powershell/disable-defender.md) documenting a PowerShell script to disable Windows Defender real-time protection when a supported third-party AV (currently SentinelOne) is detected. Includes metadata, requirements, process steps, usage example, supported products table, expected output files, and an initial changelog entry. --- docs/powershell/disable-defender.md | 57 +++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 docs/powershell/disable-defender.md diff --git a/docs/powershell/disable-defender.md b/docs/powershell/disable-defender.md new file mode 100644 index 000000000..3b4841a4d --- /dev/null +++ b/docs/powershell/disable-defender.md @@ -0,0 +1,57 @@ +--- +id: 'ps-disable-defender' +slug: /ps-disable-defender +title: 'Disable Defender' +title_meta: 'Disable Defender' +keywords: ['Windows Defender', 'SentinelOne', 'antivirus', 'real-time protection'] +description: 'Disables Windows Defender real-time protection when a supported third-party antivirus service is detected.' +tags: ['security'] +draft: false +unlisted: false +last_update: + date: 2025-06-04 +--- + +## Description + +Disables Windows Defender real-time protection when a supported third-party antivirus service is detected. If Defender is already disabled, no action is taken. + +## Requirements + +- PowerShell 5+ +- Administrative privileges + +## Process + +1. Checks for the presence of a supported third-party antivirus service (currently SentinelOne). +2. If no supported AV service is found, exits without changes. +3. Queries Windows Defender real-time protection status. +4. If Defender is already disabled, exits without changes. +5. Disables Defender real-time protection. + +## Usage + +Checks for SentinelAgent service and disables Defender if it is enabled. + +```powershell +.\Disable-Defender.ps1 +``` + +## Supported Antivirus Products + +| Product | Service Name | +|--------------|----------------| +| SentinelOne | SentinelAgent | + +Additional products can be added to the `$supportedAVServices` array in the script. + +## Output + + .\Disable-Defender-log.txt + .\Disable-Defender-error.txt + +## Changelog + +### 2025-06-04 + +- Initial version of the document From b4e6464ca98a2cc99348aa5ce52c25e1946e1f07 Mon Sep 17 00:00:00 2001 From: devanladdu Date: Thu, 4 Jun 2026 14:49:59 -0400 Subject: [PATCH 2/3] Use UUID for disable-defender doc frontmatter Update frontmatter in docs/powershell/disable-defender.md: replace the short id/slug ('ps-disable-defender' and '/ps-disable-defender') with a UUID ('3e5e318a-85f8-408f-81fb-509c5afe18c9') and a matching UUID-based slug to standardize document identifiers. --- docs/powershell/disable-defender.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/powershell/disable-defender.md b/docs/powershell/disable-defender.md index 3b4841a4d..739d7658a 100644 --- a/docs/powershell/disable-defender.md +++ b/docs/powershell/disable-defender.md @@ -1,6 +1,6 @@ --- -id: 'ps-disable-defender' -slug: /ps-disable-defender +id: '3e5e318a-85f8-408f-81fb-509c5afe18c9' +slug: /3e5e318a-85f8-408f-81fb-509c5afe18c9 title: 'Disable Defender' title_meta: 'Disable Defender' keywords: ['Windows Defender', 'SentinelOne', 'antivirus', 'real-time protection'] From 926af8c7f88993729b64ad152ab8c0f0e3c33a9e Mon Sep 17 00:00:00 2001 From: Rj98-sh Date: Wed, 10 Jun 2026 10:47:37 -0400 Subject: [PATCH 3/3] Update disable-defender.md Updated document with latest changes --- docs/powershell/disable-defender.md | 73 ++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 23 deletions(-) diff --git a/docs/powershell/disable-defender.md b/docs/powershell/disable-defender.md index 739d7658a..b7042180d 100644 --- a/docs/powershell/disable-defender.md +++ b/docs/powershell/disable-defender.md @@ -1,57 +1,84 @@ --- id: '3e5e318a-85f8-408f-81fb-509c5afe18c9' slug: /3e5e318a-85f8-408f-81fb-509c5afe18c9 -title: 'Disable Defender' -title_meta: 'Disable Defender' +title: 'Disable-Defender' +title_meta: 'Disable-Defender' keywords: ['Windows Defender', 'SentinelOne', 'antivirus', 'real-time protection'] description: 'Disables Windows Defender real-time protection when a supported third-party antivirus service is detected.' tags: ['security'] draft: false unlisted: false last_update: - date: 2025-06-04 + date: 2026-06-10 --- ## Description -Disables Windows Defender real-time protection when a supported third-party antivirus service is detected. If Defender is already disabled, no action is taken. +Disables Windows Defender real-time protection only when a supported third-party antivirus service is detected. If no supported service is found, or Defender real-time protection is already disabled, the script exits without making changes. -## Requirements +# Requirements -- PowerShell 5+ -- Administrative privileges +- PowerShell 5.0 or later +- Run as Administrator +- Access to PowerShell Gallery to install or update the `Strapper` module +- Windows Defender cmdlets available (`Get-MpComputerStatus`, `Set-MpPreference`) -## Process +# Process -1. Checks for the presence of a supported third-party antivirus service (currently SentinelOne). -2. If no supported AV service is found, exits without changes. -3. Queries Windows Defender real-time protection status. -4. If Defender is already disabled, exits without changes. -5. Disables Defender real-time protection. +1. Sets TLS policy for secure module and web requests. +2. Ensures the `Strapper` module is installed and up to date, then initializes the Strapper environment. +3. Checks each value passed to `-SupportedAVServices` and looks for a matching Windows service. +4. If no supported AV service is found, logs the result and exits. +5. Reads current Defender real-time protection status. +6. If Defender real-time protection is already disabled, logs the result and exits. +7. Uses ShouldProcess support to safely apply Defender changes. +8. Disables Defender real-time protection and logs success or error details. -## Usage +# Payload Usage -Checks for SentinelAgent service and disables Defender if it is enabled. +This script is executed directly and does not use a separate payload file. The `SupportedAVServices` parameter is required. + +Checks for `SentinelAgent` service and disables Defender if it is running and Defender is enabled. + +```powershell +.\Disable-Defender.ps1 -SupportedAVServices 'SentinelAgent' +``` + +Checks for both `SentinelAgent` and `AnotherAVService` services and disables Defender if either is running and Defender is enabled. + +```powershell +.\Disable-Defender.ps1 -SupportedAVServices 'SentinelAgent','AnotherAVService' +``` + +Checks for a non-existent AV service. Defender will not be disabled. ```powershell -.\Disable-Defender.ps1 +.\Disable-Defender.ps1 -SupportedAVServices 'NonExistentAV' ``` -## Supported Antivirus Products +Simulates the process of checking for SentinelAgent and disabling Defender without making any changes. -| Product | Service Name | -|--------------|----------------| -| SentinelOne | SentinelAgent | +```powershell +.\Disable-Defender.ps1 -SupportedAVServices 'SentinelAgent' -WhatIf +``` -Additional products can be added to the `$supportedAVServices` array in the script. +# Parameters -## Output +| Parameter | Alias | Required | Default | Type | Description | +| --------------------- | ----- | -------- | ------- | -------- | ------------------------------------------------------------------------ | +| `SupportedAVServices` | | True | | String[] | One or more antivirus service names to detect before disabling Defender. | +| `WhatIf` | | False | False | Switch | Simulates execution and shows what actions would be taken. | + +# Output + +Location of output for log and error files. .\Disable-Defender-log.txt .\Disable-Defender-error.txt + ## Changelog -### 2025-06-04 +### 2026-06-10 - Initial version of the document