A new tool named Defendnot has emerged, capable of disabling Microsoft Defender on Windows devices by registering a counterfeit antivirus product, even in the absence of any legitimate antivirus software. This innovative approach leverages an undocumented Windows Security Center (WSC) API, which antivirus programs typically use to inform Windows of their installation and management of real-time protection.
How Defendnot Operates
When an antivirus program is registered, Windows takes the precaution of disabling Microsoft Defender to prevent potential conflicts that could arise from having multiple security applications running simultaneously on a single device. The Defendnot tool, developed by researcher es3n1n, exploits this API by registering a fictitious antivirus product that successfully meets all of Windows’ validation criteria.
This tool builds upon a previous initiative known as no-defender, which utilized code from a third-party antivirus product to mimic registration with the WSC. However, that earlier project was removed from GitHub following a DMCA takedown request from the vendor involved. In a blog post, the developer recounted, “After a few weeks post-release, the project gained significant traction, accumulating around 1,500 stars. Subsequently, the antivirus developers I was using filed a DMCA takedown request, leading me to discontinue the project.”
To sidestep copyright complications, Defendnot constructs its functionality from the ground up, utilizing a dummy antivirus DLL. The WSC API is typically protected by mechanisms such as Protected Process Light (PPL) and valid digital signatures. To circumvent these safeguards, Defendnot injects its DLL into a trusted system process, Taskmgr.exe, which is already signed and recognized by Microsoft. This allows it to register the dummy antivirus with a fabricated display name.
Upon successful registration, Microsoft Defender promptly disables itself, resulting in a lack of active protection on the device.
Source: BleepingComputer
The tool also features a loader that transmits configuration data via a ctx.bin file, enabling users to customize the antivirus name, disable registration, and activate verbose logging. For persistence, Defendnot establishes an autorun entry through the Windows Task Scheduler, ensuring it launches upon user login.
While Defendnot is primarily regarded as a research project, it highlights the potential for manipulation of trusted system features to disable essential security functionalities. Currently, Microsoft Defender identifies and quarantines Defendnot as a Win32/Sabsik.FL.!ml detection.
