It's not quite as simple as that. However, to your point, it's best to disable Defender (AV) prior to testing because it will definitely try to block the installation of the atomics library. That said, even with Defender on, I've had tests execute despite Defender claiming to have blocked them. Further, modifying atomics to evade Defender detection logic is pretty trivial. At the end of the day, the point is to assume adversaries have bypassed AV/preventive controls and test visibility and/or secondary detective controls. So, you can do it the hard way by modifying all your tests so they aren't picked up by Defender or you can just accept that adversaries are able to evade signature based detection-and do it the easy way by simply disabling real time monitoring.
One thing you guys always skip over is that most of those tests will be immedietaly picked up by defender
It's not quite as simple as that. However, to your point, it's best to disable Defender (AV) prior to testing because it will definitely try to block the installation of the atomics library. That said, even with Defender on, I've had tests execute despite Defender claiming to have blocked them. Further, modifying atomics to evade Defender detection logic is pretty trivial. At the end of the day, the point is to assume adversaries have bypassed AV/preventive controls and test visibility and/or secondary detective controls. So, you can do it the hard way by modifying all your tests so they aren't picked up by Defender or you can just accept that adversaries are able to evade signature based detection-and do it the easy way by simply disabling real time monitoring.
@@briandonohue1888 right, thank you very much for the answer, sir