This was used in a ransomware attack

[ParkerSDan]

This script was used in a ransomware attack at a company my brother works for.

Is there a 'reverse' script, one that undoes everything that's been done?

[AveYo]

What? ToggleDefender? It turns off defender until running script again. So run the script again. The script reverts what it did. Not what someone else did while Defender was disabled.

It's meant to be used offline while doing intensive tasks like file operations / recording / gaming / authoring / compiling / updating windows / analyzing malware in a vm - but when going back online and installing programs it should be re-enabled manually - if you're responsible.

And just like any other tool, I guess it can be leveraged by malware. But the script here requires admin rights, and also shows a dialog. And it does not even work anymore when Tamper Protection is enabled, since 2022.02.14

So make sure you keep your Windows updated, don't disable UAC - or preferably - use standard account, and don't run crap when Defender is disabled. Plus, keep Tamper Protection enabled. Better yet, use a proper AV from Bitdefender or Eset.

[pa-0]

Can't Tamper Protection be disabled (temporarily at least) by changing the value for the Group Policy setting DisableLocalAdminMerge to 0 in the registry and then modifying whatever registry keys relate to Defender?