Sysmon 11.0 is out with file delete monitoring

Microsoft released a new version of Sysinternals Sysmon (System Monitoring) program for Microsoft Windows devices this week. Sysmon 11.0 is a major update of the application; users may download the latest version of the program from the official Sysinternals website or launch the new version of the tool directly using Sysinternals Live.
Sysmon is a specialized system monitor tool for Windows 7 and up that installs as a system service and device driver. The application monitors events on the system commonly used by attackers, e.g. by malware attacks, and logs these to the Windows event log.
The program monitors important activity such as the creation of processes and their termination, network connections, the loading of drivers, the creation of files, or Registry Events when it is active.
Sysmon 11.0 adds a new event to the list of monitored activity on Windows devices. Event 23, FileDelete, monitors all file removal activity on the Windows machine; this gives administrators options to see all files that were deleted on a system while Sysmon was active.
One of the reasons for adding file delete monitoring came from Microsoft's own experience. The company noted that attackers who successfully got into company machines would drop tools on the machine, use these, and delete these when they were done. The new file delete monitoring provides analysts with information about the tools that the attacker used on the system. Naturally, file deletion activity covers other types of deletions as well when it is used.
Here is a video by Mark Russinovich that offers additional details on the update:
Installation of Sysmon is straightforward. All that needs to be done is to download the latest archive version of the program and extract it on the target system. You may check the configuration using sysmon -s using the command prompt, and install the monitoring service using sysmon -accepteula -i; this uses the default configuration. To uninstall sysmon, run sysmon -u from the command line.
Advanced users can use configuration files to customize the monitoring, e.g. to ignore certain activity on the system. The new version of Sysmon comes with a flag to disable reverse DNS lookups to avoid DNS servers being overloaded by requests from the tool.
Now You: do you use Sysinternals tools?


Does it come back after every “moment” update?
Yeah right.. Like this is going to stop defender from running =) This is comedy gold right here.
no ‘about the author’ paragraph?
For permanent disable defender is if removed complete from system no just change permission folder.
Just this is joke.
simpler, load Autoruns (SysInternals)
– filter “Defender”
– untag all entries
– reboot
nothing has changed since my 1st modification years ago
I wouldn’t disable Defender imho, it has too many hidden roots inside Windows itself. One time I tried to uninstall it using brute force scripts and then the Onedrive feature stopped working definitely. A reinstallation was needed and since those times I prefer to maintain Defender untouched. It’s a better method to install another antivirus and it will disable Defender in a safer and easier mode (e.g., Avast is the best in this way, and also Panda Cloud Free is good too).
U are just * [Editor: removed] thats the problem ;p first of all u shall always debloat windows u shall have max 65 services with your drivers for pc and windows own servs. You didnt know what that script did
You can not stop defender from running in background or remove it without some penalty. All you can do is to limit telemetry.
@borts,
It’s probably Smartscreen which is preventing WD from being disabled. Get rid of that and the problem should be solved: https://thegeekpage.com/disable-windows-defender-smartscreen/#How_to_disable_the_Windows_Defender_SmartScreen_via_Local_Group_Policy_Editor
Remove Windows and go for Linux.
Linux sucks dude. Besides it’s not comparable to Windows, these OSes are in different classes entirely.
I use Linux as my daily driver. It’s far more stable than Windows. When’s the last time you used Linux, 2010?
@basingstoke
You’re right, dude. Bro, linux is just a bunch of code that starts before the OS, dude. Brobrodude, that shit ain’t even got emojis, dudebrodudeman! Dudebro, it’s no way near as cool as Windows with its hardcoded abilities to make money off the user, bro. Yo brodude man, you’re the coolest dude ever man, bro. Dude.
Lol what? Windows 7 doesn’t come with any Emojis
Download Autoruns and remove the checkmark from Windows Defender. It doesn’t remove it, but it will never run. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Just use “Defender Control”:
https://www.sordum.org/9480/defender-control-v2-1/comment-page-1/#comments
Per this video,
https://www.youtube.com/watch?v=CLIjr7FyxZ8
it also works on Windows 11 too…
Win Defender, is completly the most succesful free-built in antivirus of Microsoft. Really nice product. Saved my ass a lot of times. Has updated malware database, completly strong defence
from whatever smart screen disables. Or if you want better and more upgrated (paid) program,
you can go further. But defender is always on your side.
Why would one disable Windows (or Microsoft) Defender in the first place?. I consider this to be playing with fire big time. Everybody knows that if one is using another A-V, Defender will be disabled on its own and won’t be in one’s way.
Why would I want to disable Windows Defender in the first place? It’s a great anti virus in my opinion. Been using it since Windows 8 and and never had a problem or a virus. Why mess with a good thing, if it ain’t broke don’t fix it.
How a ridiculous article!
I am thoroughly stunned.
Why Should You Disable First-Party Windows Defender?
I can only think that it is “malice or perversely intention (want you to buy a third-party AV where you can expect a back margin)” to guide invalidation without showing the premise.
No sane company will use third-party closed source programs (such as AV).
As I thought, “Ghacks Technology News” seems to be coming to downfall.