"Check Real Time protection is enabled" error #4
Comments
|
Hi eXPeri3nc3 - the protectionenabled method check runs initially and passes the text "amsiscanbuffer" (a known trigger) to AMSIScanBuffer. As a test, you could run powershell and see whether that string produces a blocked by your AV message. See attached screenshot. |
|
Hi RhythmStick! I tried, and yes it's being blocked - similar to your screenshot. Would that mean that I need to bypass that first ('AMSIScanBuffer') before I can see other triggers that the ps1 may still have? Or did I misunderstand the error that I need to disable realtime protection before using AMSITrigger?
Also just tried disabling WinDef and I still get the error (I ran it on vanilla Invoke-Mimikatz in a whitelisted directory) |
|
No you didnt misunderstand. The fact that you generated the AV alert when you passed it "AMSIScanbuffer" proves that real time protection is on - which it needs to be. What it doesnt help with is why AMSITrigger thinks that real time protection is switched off, because its effectively doing exactly that. Do you have any exceptions in place maybe for that d:\ drive ? |
|
so for instance, if you run powershell as an admin, |
|
Yes I did add Exclusion path, else the Invoke-Mimikatz would automatically be removed by Defender when I run AMSITrigger
|
|
This is how it looks like: |
|
Sure - my question was more about is there an exclusion for the folder where the AMSITrigger assembly is, rather than the target. |
|
could you try copying invoke-mimikatz.ps1 to another (non-excluded) folder with a different name, eg. invoke-mimi.ps1 and then try AMSITrigger on that file. |
Yes sure, as follows: No exclusions in my home folder, renamed, showed something slightly diff this round Similar error with PS as the terminal: |
|
|
|
which version of AMSITrigger you running - just so we have like-for-like |
I was running the build v2 x86 for prior examples. I just figured out what triggers the Check realtime protection message.
|
Yes it runs and shows the above |
|
yeah - I understand that 2nd case as defender is quite-rightly removing the malicious file before AMSITrigger tries to open it. |
|
Could you look at the properties of this file: |
|
It might be worth matching up your version with this line. Just change the |
Please see below: |
|
Let me know how that goes. |
|
so change to powershell.exe_10.0.19041.546 |
Got it, will revert when I managed to compile. Didn't realise the VS I was using was Professional and the trial period expired - getting the Community version installer now |
No luck. I removed the allowed threats just to be sure and the same error still occurs |
|
Just put the |
|
Pretty sure that's been tried S3curTh1sSh1t but happy to try anything at this point.. |
Holyshit that actually worked!
|
|
So I guess the fix is to whitelist the folder that AMSITrigger is running from Thank you RythmStick (for spending time to diagnose) & S3cur3Th1sSh1t for the suggestion |
|
Instead you could also "obfuscate" Amsitrigger by changing the namespace and class names before compilation but the exclusion is the easiest way so far. 🚀 |
|
Just glad it's working 😊 thanks S3cur3Th1sSh1t |
|
Even if this issue is considered closed, I'd like to add something for Win 10/11 22H2 builds and the according Defender versions: |
Any idea which version of Windows this tool can still work with? |
Hi, I tried the release binary, and downloading the sourcecode to compile and run it
I tested with a Powershell script, but I can only see the "[+] Check Real Time protection is enabled" error, while my Windows Defender protection is all turned on.
I tried --inputfile and -u, but still same error, for the v2 release binary, and v3 selfcompile
Is there a way for me to diagnose further what could be the issue? Thanks!
The text was updated successfully, but these errors were encountered: