Stop Windows Defender deleting a legit VB script

2

I have wrote a little script that will automate downloading and running a program, however when invoking the script from command line, Windows Defender will enter the scene warning user that malware is detected, disabling and deleting the script!

How can I stop Windows Defender deleting this script?

Code:

strFileURL = WScript.Arguments.Item(0) 'download url
strHDLocation = WScript.Arguments.Item(1) 'path to exe

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then
  Set objADOStream = CreateObject("ADODB.Stream")
  objADOStream.Open
  objADOStream.Type = 1 'adTypeBinary

  objADOStream.Write objXMLHTTP.ResponseBody
  objADOStream.Position = 0    'Set the stream position to the start

  Set objFSO = Createobject("Scripting.FileSystemObject")
    If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
  Set objFSO = Nothing

  objADOStream.SaveToFile strHDLocation
  objADOStream.Close
  Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing

Set WshShell = WScript.CreateObject("WScript.Shell") 
WshShell.Run WScript.Arguments.Item(1)
shell.SendKeys"{ENTER}"

Riccardo

Posted 2015-07-03T09:02:36.277

Reputation: 425

3Have you tried to exclude your script file from checking in Defender options? – Nafscript – 2015-07-03T09:49:39.980

Yes but it ignores the wihtelisted file – Riccardo – 2015-07-03T15:20:41.027

Had to delete previous comment. once realtime protection is restarted it will delete the offending file although whitelisted – Riccardo – 2015-07-03T15:50:55.023

Install an AV that is more configurable, every new incarnation of Defender has fewer user settings, W10 Defender is even worse than W8. – Moab – 2015-07-03T16:47:12.763

Answers

1

The quick and dirty solution:

Split the script in two. One script for the download, one for the execution. Not very elegant, but effective. This way Windows defender is fooled.

Riccardo

Posted 2015-07-03T09:02:36.277

Reputation: 425

1

The next time Windows Defender alerts you about the software, on the Action menu in the Alert dialog box, click Always Allow. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Source

This may be useful too:

To remove or restore quarantined items

Open Windows Defender by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Defender.

Click Tools, and then click Quarantined items.

Review each item, and then for each, click Remove or Restore. If you want to remove all quarantined items from your computer, click Remove All. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Source

Dave

Posted 2015-07-03T09:02:36.277

Reputation: 24 199

There is no user prompt. Just a beep and a small popup; when clicking on this, it will open windows defender main window (where actually the offending script is whitelisted. See this.

– Riccardo – 2015-07-03T15:23:52.027

Once restarted realtime protection it will delete the whitelisted file anyway :-/ – Riccardo – 2015-07-03T15:51:28.103

Asked: 2015-07-03T09:02:36.277

Viewed: 1 131 times

Active: 2015-07-04T07:56:44.763