Cybersecurity developers have introduced a groundbreaking tool named defendnot, which emerges as a successor to the previously affected no-defender project that faced DMCA takedown challenges. This innovative utility harnesses undocumented Windows Security Center (WSC) APIs to effectively disable Windows Defender, positioning itself as a third-party antivirus solution.
The journey of creating defendnot was shared by the developer, who navigated the complexities of implementation while traveling abroad with limited resources. The tool operates by leveraging the WSC service, a critical component that coordinates various security software on Windows systems. When a legitimate antivirus registers through WSC’s COM API, Windows automatically disables its native Defender to avoid conflicts.
To achieve this technical feat, the developer undertook the intricate task of reverse engineering WSC’s validation algorithms, which verify callers through a series of security checks. The WSC performs signature verification and scrutinizes DLL characteristics flags, particularly focusing on the ForceIntegrity flag. After extensive testing of various system binaries, the developer identified Taskmgr.exe as a suitable “victim process” to host the code necessary for making WSC API calls.
“There’s a WSC service in Windows which is used by antiviruses to let Windows know that there’s some other antivirus in the hood and it should disable Windows Defender,” the documentation elaborates, highlighting the fact that these APIs are undocumented and typically require a non-disclosure agreement with Microsoft for access.
Defendnot – Disabling Windows Defender
The creation of defendnot unfolded under unique circumstances, as the developer worked from an Airbnb in Seoul with only an M4Pro MacBook, which was not ideal for x86 Windows development. This situation necessitated inventive workarounds, including remote access to a friend’s PC in the United States, leading to debugging sessions characterized by over 210ms latency.
“My setup looked like this: build the module in Windows ARM64 running in Parallels using MSVC, share the build artifacts with my host using shared folders, copy build artifacts using AnyDesk to the virtual machine running on my friend’s PC, debug the service using Parsec with 210ms latency,” the developer recounted.
After investigating the aftermath of cmd.exe requesting to register an antivirus in WSC, the developer traced the function that checks whether the calling process has a WinDefend SID on a token.
Ultimately, the developer invested in a Shadow.tech subscription to gain bare-metal access to a compatible development environment, which proved essential for identifying and resolving critical implementation issues.
Protection Bypass and Usage Guidelines
In contrast to temporary disabling methods, defendnot ensures its effects persist across system reboots by adding itself to Windows autorun. “Sadly, to keep this WSC stuff even after reboot, [it] adds itself to the autorun. Thus, you would need to keep the binaries on your disk,” the documentation clarifies.
Users can manage the tool via a command-line interface that offers various options, including the ability to disable both Windows Defender and Windows Firewall. Available flags include –disable to revert changes, –firewall to disable the firewall, –av to disable Defender, and –name to customize the registered antivirus name.
While the original no-defender project was removed due to a DMCA takedown initiated by an antivirus company whose code was utilized, defendnot stands as a “clean” implementation that does not rely on third-party antivirus code. The developer has indicated that a more comprehensive technical explanation of WSC’s internals will be shared separately by a collaborator.
Security experts caution that while tools like defendnot showcase intriguing technical workarounds, the act of disabling protection mechanisms should be confined to controlled environments and undertaken by users who possess a thorough understanding of the associated security implications.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
