search

mandiant / flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
Apache License 2.0
6.56k stars 917 forks source link

Can't Disable Windows Defender & Install-Reinstall Loop #308

Closed shadowfox003 closed 1 year ago

shadowfox003 commented 4 years ago

I am attempting to create the Flare VM, but I am running into two issues: disabling windows defend and VM is in a constant loop to install/reinstall all the programs. Some programs are unable to install, such as yara python and mkyara. I have done both the automatic install and manual install as described in the steps. I can successfully disable Windows Update, but not Windows Defender. For some reason I am not given the option to "stop" or "disable" anything Windows Defender related. I have gone into the my virus protection settings and disabled the setting their, except "tamper protection," because it's not an available option. Any help is appreciate. Thank you! I am using the Windows 10 VM, as it's my only option, from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/.

OzTintin commented 4 years ago

Having the same problem: as @shadowfox003 while running the initial .\install.ps1 Then the computer goes into a reboot loop Tried on 2 different computers (one Win 10 V2004 and one WIn 10 V1909); both are in a workgroup. I am running the script on my own computers (i.e. not in a VM)

Here are the errors (note: Github is reformatting the "+" character into "•")

Stop-Service : Service 'Windows Defender Antivirus Service (WinDefend)' cannot be stopped due to the following error: Cannot open WinDefend service on computer '.'. At C:\Temp\flare-vm-master\install.ps1:302 char:27

  • Get-Service WinDefend | Stop-Service -Force
  • 
+ CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service], ServiceCommand 
Exception
+ FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand

Set-ItemProperty : Attempted to perform an unauthorized operation. At C:\Temp\flare-vm-master\install.ps1:303 char:3

  • Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\Win ...
  • 
+ CategoryInfo          : PermissionDenied: (Start:String) [Set-ItemProperty], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

Set-MpPreference : A general error occurred that is not covered by a more specific error code. At C:\Temp\flare-vm-master\install.ps1:316 char:5

  • Set-MpPreference -DisableIntrusionPreventionSystem $true -Disable ...
  • 
+ CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference

[etc... ]

Any suggestions?

shadowfox003 commented 4 years ago

@OzTintin After several attempts I decided to try installing the VM on Virtualbox, rather than VMware. During the time that I was installing Flare VM I noticed that the program was not installing Wireshark. So, I installed Wireshark manually on the VM, and after 9 hours the Flare VM was finally installed. I'm not sure what the issue was or if this will work for you, but I hope this helps you. Good luck!

MalwareMechanic commented 4 years ago

@OzTintin I'd definitely recommend installing on a VM. But this is interesting. We test mainly on Win7, so there might be some issues with Win10. Did you make sure to use a admin prompt?

I think in Windows 10 you'll need to disabled tamper protection before running the installation script so it can modify some of the system settings. Let me know if any of that helps.

OzTintin commented 4 years ago

@MalwareMechanic @shadowfox003 thanks for feedback, I will try again, this time in a Win 7 VM in VirtualBox ... but in a little while as busy with other projects right now

RachelVB commented 4 years ago

Hey @shadowfox003 @MalwareMechanic @OzTintin

Here is the solution I mentioned in another thread here.

Hope this helps!

MohamedEl-Hadidi commented 4 years ago

Hi @shadowfox003,

  1. After Installing windows 10 VM ensure that machine is up to date with latest updates.
  2. Then Ensure that you disabled windows defender permanently (Real time and other components).
  3. Then Disable all exploits prevention checks (ASLR and others).
  4. Then Restart your machine.
  5. Then Follow the installation steps normally. Note: The machine will restart multiple times and proceeding with the installation after the restart, also estimated installation time was from 2:3 Hours.
    Hopefully, That these steps could solve your issue.
johnsmith1232541 commented 4 years ago

@MohamedEl-Hadidi Having the same problem as OP and I tried your steps. Disabled absolutely everything, ran the installer again but it continues to give the same error. Tried it on both build 1909 and 2004.

rfkaseIII commented 4 years ago

I have the same issue here. Win 10-2004 VM. Install script continues to run over and over again. Constant reboots.

martinlabarthe commented 3 years ago

hello, i do not understand exactly what your are doing but now is going to be much harder to disable windows defender.

to do that you will need to use a 3rd party tool like windows defender controller, its free, but the only way i found to disable defender permantntly, they have even more cool stuff in their site.

The problem with all Defender versions in Windows Vista and above is it’s integrated into the operating system and installs by default with no visible or hidden option to uninstall. Many people are looking for ways to disable or remove it from their system as they prefer to use other software , for example on Windows 8 and 10 you cannot turn off Windows Defender completely anymore , A click on Settings in Windows Defender opens the control panel for the program in the new Windows Settings application. You can turn the program’s real-time protection off temporarily, but if it’s off for a while Windows will turn it back on automatically. It is unclear why Microsoft made the decision to change the behavior of Windows Defender in this regard. What is certain however is that it will annoy users who want to disable it permanently on the computer they are working on. Defender Control is a small Portable freeware which will allow you to disable Windows Defender in Windows 10 completely.

download page: https://www.sordum.org/9480/defender-control-v1-6/

tuto: https://youtu.be/kD-h4UIfl1I https://youtu.be/o8eWWvZU-nQ

vm-packages commented 1 year ago

Thank you for your feedback! We've been working on major updates to FLARE VM over the last year. The now revamped FLARE VM has just been released and will make the project more open and maintainable. Please check out our blog post at https://www.mandiant.com/resources/blog/flarevm-open-to-public and give the new installation a try.

If this problem still persists with the new installation, please report:

Please note that we use this message to close all legacy issues in this repository. We look forward to your feedback and support for the next generation of FLARE VM.