Can I restrict Windows Defender to only report threats?

Windows 10
1

I’m conducting an experiment in a cyber testbed with three emulated Windows workstations (Windows 10, Windows 10, Windows 11).

Since Windows Defender recognizes the attack, it automatically quarantines the malicious files.

To proceed with the experiment, I disabled Real-time Protection in the Defender’s configuration. As expected, the files weren’t isolated, and the attack succeeded. However, for research purposes, I want the anti-virus to still report the alert about the suspicious file without taking any action against it.

When Real-time Protection is active, I can get event logs from Applications and Services Logs/Microsoft/Windows/Windows Defender/Operational, like so:

Is there a way to get these logs without quarantining the malicious files?

2

You’re looking to configure Windows Defender to report threats without taking any action, right? That’s a great approach for your experiment.

Here’s the deal: you can’t directly configure Windows Defender to only report threats without quarantining the malicious files. However, there’s a workaround that might just do the trick.

You can use the Audit Only mode in Windows Defender. This mode allows you to monitor and log threats without taking any action. Here’s how to enable it:

  1. Open the Registry Editor (Regedit.exe) as an administrator.
  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  3. Create a new DWORD (32-bit) value named DisableAntiSpyware and set its value to 1.
  4. Create another new DWORD (32-bit) value named AuditMode and set its value to 1.

Once you’ve made these changes, restart your system or restart the Windows Defender service.

With Audit Only mode enabled, Windows Defender will continue to detect and log threats, but it won’t take any action against them. You should still see the event logs in the Applications and Services Logs/Microsoft/Windows/Windows Defender/Operational section.

Keep in mind that this mode is intended for testing and evaluation purposes, so use it at your own discretion. Also, be aware that your system will be more vulnerable to malware with Audit Only mode enabled, so make sure to revert the changes when you’re done with your experiment.

Give it a try and see if it works for your needs