Windows – How to exclude scheduled task from Windows Defender

powershellwindows 10windows task schedulerwindows-defender

I have scheduled task that should run every two hours, with the following command line action:

  • Program: mshta
  • Arguments: vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -NoLogo -Command """"& 'X:\Path\To\Custom\powershellScript.ps1'"""""", 0 : window.close")

Every two hours, instead of the task getting run, i'm getting:

Found some malware Windows Defender is removing it

and in Defender history:

Detected item Trojan:Win32/Powerssere.G

I don't want to stop Windows Defender, because of potential security implications of doing so. Is there a way to add exclusion in Defender to ignore the task?.

I tried adding both script path, folder, mshta.exe and powershell.exe to exclusions, also ps1 to file types. Nothing works.

By the way, Defender doesn't remove the task, or the script that should be run, just stops it from running.

Clarification:

  • It must be run in background, no window should pop out when the task is run, it has to be run with the user if he's logged in, i don't want to store password/run with other user account or highest privileges.

  • The script has to be executed as the logged in user. The purpose of it is to change the wallpaper for the logged in user to downloaded one ($picturePath variable). Excerpt:


    $registryPropertyPath = "HKCU:\Control Panel\Desktop\"
    $registryPropertyName = "Wallpaper"
    $wallpaperProperty = (Get-ItemProperty -Path $registryPropertyPath -Name $registryPropertyName).WallPaper
    if ($wallpaperProperty -ne $picturePath) {
        Set-ItemProperty -Path $registryPropertyPath -Name $registryPropertyName -Value $picturePath
        for ($i = 0; $i -lt 20; $i++) {
            RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True
        }
    }

Best Answer

Again, as noted, if you do this, it's simply a virus type action and should be blocked.

As @HackSlash notes, that is the correct way to do this.

When you say a Windows pop-out because of this, and it should because you are starting a new shell and the shell has to launch and show as active. You can just add the WindowStyle property -minimize or -hidden switch to diminish that.

https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help?view=powershell-6

PowerShell[.exe] [-Command { - | [-args ] | [] } ] [-EncodedCommand ] [-ExecutionPolicy ] [-File []] [-InputFormat {Text | XML}] [-Mta] [-NoExit] [-NoLogo] [-NonInteractive] [-NoProfile] [-OutputFormat {Text | XML}] [-PSConsoleFile | -Version ] [-Sta] [-WindowStyle ]

PowerShell[.exe] -Help | -? | /?

-WindowStyle

Sets the window style for the session. Valid values are Normal, Minimized, Maximized and Hidden.

Or this approach, since even the above the window will still momentarily flash.

Howto hide a PowerShell prompt

http://jeffwouters.nl/index.php/2015/09/howto-hide-a-powershell-prompt

Or this one

Sneaky PowerShell Trick: Run Completely Without A Window

static void Main(string[] args) { var powershell = PowerShell.Create(); powershell.AddScript(@" Get-ChildItem -Path c:\temp | out-file c:\temp\shh.txt "); var handler = powershell.BeginInvoke(); while (!handler.IsCompleted) Thread.Sleep(200); powershell.EndInvoke(handler); powershell.Dispose(); }

https://workingsysadmin.com/sneaky-powershell-trick-run-completely-without-a-window

Related Question