A new tool has emerged for users seeking to disable Windows Defender without resorting to an alternative antivirus solution. Developer and reverse engineer es3n1n has introduced the Defendnot tool, which cleverly utilizes an undocumented Windows Security Center (WSC) API. This innovative approach allows the software to inform the operating system that another antivirus program is active, effectively sidelining Windows Defender.
In a recent blog post detailing the development of Defendnot, es3n1n explains that this tool serves as a successor to their previous creation, the no-defender tool, released a year prior. The earlier version disabled Windows Defender by leveraging code from existing antivirus products, which ultimately led to a DMCA takedown request. In contrast, Defendnot aims to provide a “clean implementation” of the original concept, free from any third-party AV code. Achieving this was no small feat, as the workings of WSC are not publicly documented.
Drawing on previous experience, es3n1n successfully deduced how WSC validates calls from legitimate antivirus programs. By injecting their own code into this process, they achieved promising results. The blog features a screenshot showcasing a fictitious antivirus named ‘hi2,’ along with a playful label, ‘hello readme:).’ In a light-hearted twist, a reporter from Bleeping Computer created a mock antivirus called the BleepingComputer Antivirus using Defendnot, adding an element of fun to the project.
Upon activation, Microsoft Defender promptly disables itself, as Defendnot does not function as a traditional antivirus program. Consequently, users may find themselves vulnerable to viruses and malware, lacking a real-time scanning feature. To ensure that the faux antivirus and its WSC implications persist after reboots, Defendnot is configured to run automatically upon Windows startup.
Microsoft classifies Defendnot as a Trojan
The ability to spoof a legitimate antivirus program raises significant concerns, particularly as it highlights potential vulnerabilities that could be exploited by malicious actors. If one were to download the Defendnot tool today, Microsoft Defender would likely detect and quarantine it as a Trojan, utilizing its machine learning algorithms to identify the threat.
Follow Tom’s Hardware on Google News to stay informed with the latest news, analysis, and reviews. Be sure to click the Follow button.
<section class="newsletter-formtop-bar”>
<section class="newsletter-formmain-section” readability=”28″>Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
