Blog

New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender

4 hours ago
2 minutes read

A new tool called ‘Defendnot’ can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed.

The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.

When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device.

The Defendnot tool, created by researcher es3n1n, abuses this API by registering a fake antivirus product that meets all of Windows’ validation checks.

The tool is based on a previous project called no-defender, which used code from a third-party antivirus product to spoof registration with WSC. That earlier tool was pulled from GitHub after the vendor filed a DMCA takedown.

“Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day,” the developer explains in a blog post.

Defendnot avoids copyright issues by building the functionality from scratch through a dummy antivirus DLL.

Normally, WSC API is safeguarded through Protected Process Light (PPL), valid digital signatures, and other features.

To bypass these requirements, Defendnot injects its DLL into a system process, Taskmgr.exe, that is signed and already trusted by Microsoft. From within that process, it can register the dummy antivirus with a spoofed display name.

Once registered, Microsoft Defender immediately shuts itself off, leaving no active protection on the device.

Defendnot registered on a device
Defendnot registered on a device
Source: BleepingComputer

The tool also includes a loader that passes configuration data via a ctx.bin file and lets you set the antivirus name you want to use, turn off registration, and enable verbose logging.

For persistence, Defendnot creates an autorun through the Windows Task Scheduler so that it starts when you log in to Windows.

While Defendnot is considered a research project, the tool demonstrates how trusted system features can be manipulated to turn off security features.

Microsoft Defender is currently detecting and quarantining Defendnot as a ‘Win32/Sabsik.FL.!ml; detection.


Red Report 2025

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.


Source link

Tags
4 hours ago
2 minutes read

Related Articles

Top Picks for Bassinets in 2025

3 hours ago

How to Prep Your Smart Home for Summer Vacations

3 hours ago

NYT Strands Today: Hints, Answers & Spangram for May 18, 2025

3 hours ago

How Apple wins for enterprise IT – Computerworld

4 hours ago

Netflix top 10 movies — here’s the 3 worth watching right now

4 hours ago

Tim Sweeney is mocking Apple for letting Fortnite fakes into the App Store

5 hours ago

This Budget Outdoor Speaker Is Surprisingly Good, and It’s Only $56 Right Now

7 hours ago

Top Picks for Cribs in 2025

8 hours ago

Don’t Overlook These 10 Amazing Older Netflix Originals

8 hours ago

Roblox Grow a Garden: Blood Moon Shop Items You Can Buy

8 hours ago
Back to top button
close