Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Disable Defender Antivirus Azure data collection does not delete MpAzSubmit.dll #478

Open
jarelllama opened this issue Dec 20, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@jarelllama
Copy link

Description

After running Disable Defender Antivirus Azure data collection, MpAzSubmit.dll is still present:
image

Console:

--- Disable Defender Antivirus Azure data collection
Running as NT SERVICE\TrustedInstaller
Invoke-AsTrustedInstaller : Failed, due to exit code: 1.
At line:1 char:4877
+ ... dCount) items."'+"`r`n"+'}'+"`r`n"+''; Invoke-AsTrustedInstaller $cmd
+                                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-AsTrustedInstaller

Searching for items matching pattern: "C:\Program Files\Windows Defender\MpAzSubmit.dll".
Initiating processing of 1 items from "C:\Program Files\Windows Defender\MpAzSubmit.dll".
Processing file: "C:\Program Files\Windows Defender\MpAzSubmit.dll".
powershell.exe : C:\Users\<redacted>\AppData\Local\Temp\tmp4A33.ps1 : Failed to rename "C:\Program Files\Windows
Defender\MpAzSubmit.dll" to
At line:1 char:1
+ powershell.exe -ExecutionPolicy Bypass -File 'C:\Users\<redacted>\AppData\Loca ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (C:\Users\\<redacted>\AppD...Submit.dll" to :String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

"C:\Program Files\Windows Defender\MpAzSubmit.dll.OLD": Access to the path is denied.
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,tmp4A33.ps1

WARNING: Failed to process 1 items.

How can the bug be recreated?

.

Operating system

No response

Script file

No response

Screenshots

No response

Additional information

No response

@jarelllama jarelllama added the bug Something isn't working label Dec 20, 2024
@undergroundwires
Copy link
Owner

This worked when I tested on Windows 10 Pro (22H2) and Windows 11 Pro (21H2).
Can you share:

  1. Windows major version
  2. Defender version (You can run Get-MpComputerStatus on PowerShell and share AMProductVersion value)

Interesting to see that even TrustedInstaller is not enough to do the changes.
I will test this more when I can re-create an environment with your version.

@jarelllama
Copy link
Author

Windows: Version 10.0.22631 Build 22631
Defender: 4.18.24090.11

@jarelllama
Copy link
Author

Let me know if I can help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants
@undergroundwires @jarelllama and others