Windows Defender Submit Sample Feature Disabled

 1title: Windows Defender Submit Sample Feature Disabled
 2id: 91903aba-1088-42ee-b680-d6d94fe002b0
 3related:
 4    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 5      type: similar
 6    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
 7      type: similar
 8    - id: 801bd44f-ceed-4eb6-887c-11544633c0aa
 9      type: similar
10status: stable
11description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
12references:
13    - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
14    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2022/12/06
17tags:
18    - attack.defense_evasion
19    - attack.t1562.001
20logsource:
21    product: windows
22    service: windefend
23detection:
24    selection:
25        EventID: 5007 # The antimalware platform configuration changed.
26        NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
27    condition: selection
28falsepositives:
29    - Administrator activity (must be investigated)
30level: low

References

• Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

  

  Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors.

  
  Read More

• Disable Windows Defender in powershell – a script to finally get rid of it

  

  I finally wrote a PowerShell script to disable Windows Defender entirely, permanently, without any prior configuration or user interaction.

  
  Read More

Related rules

• Windows Defender Configuration Changes
• Windows Defender Exclusions Added
• Windows Defender Exploit Guard Tamper
• Windows Defender Grace Period Expired
• Windows Defender Malware And PUA Scanning Disabled