Windows Defender - Add exclusion folder programmatically

Question

I was checking out different keyloggers for research purposes and stumbled upon Refog:

https://www.refog.com/keylogger/

This program could catch a lot of system events, but what really caught my attention was something else. The program created a hidden folder called Mpk, path C:\Windows\SysWOW64\Mpk. It was marked as an operating system files folder, because it was not visible until I unmarked Hide protected operating system files (recommended). This, I guess, can be done via the attrib command like this attrib +s +h "C:\Windows\SysWOW64\Mpk" so nothing revolutionary.

However they also added an exclusion to Windows Defender for this folder. How can they do this programmatically? I'm running Windows 10 Pro x64.

Answer 1

Just thought that I would post this as it did take me a few seconds to figure out how to do this in C# but here is the code that is working for me:

        var elevated = new ProcessStartInfo("powershell")
        {
            UseShellExecute = false,
            CreateNoWindow = true,
            Verb = "runas",
            Arguments = " -Command Add-MpPreference -ExclusionPath '" + directory + "'"
        };
        Process.Start(elevated);

Answer 2

Run in elevated shell (search cmd in Start menu and hit Ctrl+Shift+Enter).

powershell -Command Add-MpPreference -ExclusionPath "C:\tmp"
powershell -Command Add-MpPreference -ExclusionProcess "java.exe"
powershell -Command Add-MpPreference -ExclusionExtension ".java"

powershell -Command Remove-MpPreference -ExclusionExtension ".java"

• Add an exclusion to Windows Security
• Modifies settings for Windows Defender from PowerShell
• Removes exclusions or default actions

Answer 3

Go to powershell

Add-MpPreference -ExclusionPath "C:\Temp"

Reference: https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=win10-ps

Answer 4

The easiest way to do this is using PowerShell from CMD with elevated privileges (like balrob's answer), but you can also use the PowerShell environment variables to make your life easier; for example:

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\Downloads

which will add current user's Downloads folder, eg. C:\Users\Susana\Downloads.

To get the list of environment variables provided by PowerShell, you can use this PowerShell command:

Get-ChildItem Env: | Sort Name

As you can see, there is the windir variable. They could use that in addition with the subfolders you mentioned.

Answer 5

The correct way to do this is using the Add-MpPreference PowerShell cmdlet. Use this cmdlet to add exclusions for file name extensions, paths, and processes, and to add default actions for high, moderate, and low threats.

You can easily perform this from the elevated cmd shell in Windows 10 using the following command line:

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Mpk"

Answer 6

After some digging I found the following folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

I cannot add a key there with my user. I get the following error: Cannot create key: You do not have the requisite permissions to create a new key under Paths

However SYSTEM, WinDefend and TrustedInstaller all have Full Control. The best guess is that they have used something like DevxExec devxexec.exe /user:TrustedInstaller cmd and written the key to the registry.