Killing Microsoft Defender on a Mac

Killing Microsoft Defender on a Mac

Big companies mean big problems. Big companies are targeted more often by cyber attacks. Big companies take more critical image losses. And also, big companies have a larger amount of "not that smart" employees. Thus it's not a coincidence that there are somewhat exaggerated measures taken by the management here and there.

I find an antivirus on a developer's mac to be an exaggeration. Really, if you are getting a virus on macOS, that means that you had to disable the default protection and literally run it yourself. At this point, you could also write a script that dumps sensitive data of your company over some tunnel. In other words: it's all your fault.

At the same time, I don't care that much about antiviruses per see. They are just additional pain in the ass, similar to agile ceremonies. However, they can significantly slow you down in some cases (yes, even more than agile ceremonies). For example, I had an experience with McAfee, where software projects would build extremely slow, as the antivirus had to check each downloaded dependency and build file. And while it was super-easy to find a way to kill the McAfee agent, that was not the case with Microsoft Defender. Gosh, I had to spend an hour to figure out how to do that. So here is a guide so you can save some time.

P.S. I also posted this Q/A on SuperUser because as a superuser of your machine, you may look for a way to stop a certain service. But the question was closed, so let's give the SuperUser community their right to suck.

Killing Microsoft Defender Demon on a Mac

‼️Disclaimer‼️ While this guide tells you how to kill the Microsoft Defender antivirus on macOS, it does not encourage you to do so in any way. Your actions are your own, and you will bear the consequences, whatever they are.

Microsoft includes a handy CLI tool mdatp, that has a simple command that should turn off automatic scanning:

mdatp config real-time-protection --value disabled

sadly, in case the antivirus was installed automatically on your machine, the CLI tool will refuse to disable the scanning and tell you

This setting is managed by your organization

This statement is hilarious. Guys, I have sudo rights. I can re-write all the bits of your fucking software. Anyway, let's continue to dig into how the antivirus keeps itself alive.

The Microsoft Defender is launched by launchctl and kept alive, so the system will restart the process if you try to kill it. Instead, you can tell launchctl to unload the Microsoft Defender service. The service name is com.microsoft.wdav.tray, and in my case, the configuration was located in

/Library/LaunchAgents/com.microsoft.wdav.tray.plist

Thus, to stop the antivirus, simply run:

launchctl unload /Library/LaunchAgents/com.microsoft.wdav.tray.plist

Please, notice that I didn't need to run in as sudo, but it may be different in your case. This command will unload the service until the next restart. If you want the unloading to persist over restarts, run it with the -w flag (but be careful not to upset your management too much).

It is helpful to add an alias like

alias kill_md="launchctl unload /Library/LaunchAgents/com.microsoft.wdav.tray.plist"

to your ~/.bash_profile file, so in case you need to kill Microsoft Defender you don't have to google it over and over again, and you can run kill_md