Previously, users have been able to kill the native Windows 10 antivirus service temporarily by toggling real-time protection (which later switches back on automatically), or permanently via the registry.
However, with the Windows 10 August 2020 update (version 4.18.2007.8), the setting that allowed users to deactivate Microsoft Defender via the registry has been “discontinued and will be ignored on client devices,” Microsoft explained.
The company originally said the setting was removed because it is not intended for use on consumer devices and is now defunct for IT professionals too, because Defender will automatically turn itself off when another antivirus program is active.
However, Microsoft has now confirmed that security concerns also played a part in the decision.
Windows 10 antivirus
With the release of Windows 10 1903, Microsoft introduced a security feature – called Tamper Protection – that blocks any attempts to tweak Microsoft Defender settings from outside the Windows interface.
However, this security filter could be circumvented by certain malware strains coded to abuse the DisableAntiSpyware registry value. Upon restart, Microsoft Defender would be disabled for a single session, providing a brief window in which hackers could conduct an attack.
Since the change was first announced, Microsoft has confirmed the decision to discontinue DisableAntiSpyware was motivated in part by the need to ensure Tamper Protection is as watertight as possible.
“Tamper Protection is turned on by default for all consumer Windows 10 devices. This feature protects devices from cyber attacks that try to disable built-in security solutions, such as antivirus protection, in an attempt to gain access to your data [or] to install malware,” reads a post on the Windows 10 Message Center.
“As Microsoft Defender automatically turns itself off when it detects another antivirus program, we are removing a legacy registry called DisableAntiSpyware.”
With the ability to disable Microsoft Defender via the registry revoked, malware can no longer exploit the vulnerability in the Tamper Protection system.