Defendnot emerges as a sophisticated tool that effectively disables Windows Defender by leveraging the Windows Security Center (WSC) API, presenting itself as a legitimate antivirus solution. The WSC service plays a crucial role in maintaining the security integrity of Windows computers, automatically disabling Windows Defender when third-party antivirus software is installed to avoid conflicts.
Created by a GitHub developer known as “es3n1n,” this tool stands out for its direct engagement with WSC, circumventing the need to utilize code from existing antivirus products. This release follows a notable gap since the developer’s previous tool, “no-defender,” was taken down last year due to a DMCA request.
In a report shared with Cyber Security News, the developer elaborated on the functionality of the WSC service, stating, “There’s a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there’s some other antivirus in the hood and it should disable Windows Defender.” He further noted the challenges posed by the undocumented nature of the WSC API, which requires developers to sign a non-disclosure agreement with Microsoft to access its documentation.
Defendnot Disable Windows Defender
According to a comprehensive blog post by the developer, the creation of Defendnot involved meticulous reverse engineering of the WSC service, alongside deciphering the process validation mechanisms employed by Microsoft. This endeavor was not without its hurdles, particularly in understanding how WSC verifies processes before permitting them to register as antivirus solutions.
A pivotal finding was that WSC conducts checks on processes attempting to register, including the verification of the IMAGEDLLCHARACTERISTICSFORCE_INTEGRITY flag in the PE header and the examination of digital signatures. The Task Manager (Taskmgr.exe) was identified as a suitable “victim process” to host the Defendnot code.
The tool employs COM interfaces to interact with WSC, effectively registering a phantom antivirus product. Consequently, when Windows identifies this “antivirus,” it automatically disables its built-in protection. Security researcher Will Dormann highlighted the tool on social media, pointing out that it “uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.”
Technically, Defendnot implements interfaces such as IWSCProductList to communicate with WSC and utilizes undocumented Windows APIs typically reserved for certified antivirus vendors under the Microsoft Virus Initiative (MVI) program, which requires an NDA.
Among its features, the tool includes several commands. However, the developer noted a limitation: “to keep this WSC stuff even after reboot, Defendnot adds itself to the autorun. Thus, you would need to keep the Defendnot binaries on your disk.”
While the tool showcases remarkable technical expertise and reverse engineering capabilities, security experts express concern about its potential misuse by malware authors aiming to disable security protections. Nonetheless, it is important to highlight that Defendnot necessitates administrative privileges to operate, which restricts its capacity for covert deployment.
For security researchers and administrators, Defendnot offers valuable insights into the integration of security products within Windows, illuminating potential vulnerabilities in Microsoft’s security architecture that could be fortified to prevent similar bypasses in the future.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team ->Free Download
