All modern Windows PCs come equipped with Microsoft Defender, the native antivirus solution designed to protect users from a multitude of threats. Over the years, this tool has evolved into a robust security application. However, a new tool named Defendnot poses a significant challenge by completely disabling Microsoft Defender without resorting to bugs or malware. Instead, it cleverly convinces Windows that another antivirus is already operational.
The tool works by pretending to be an antivirus
Windows is programmed to prevent the simultaneous operation of multiple antivirus programs. When a third-party antivirus is installed, Microsoft Defender is automatically disabled to avoid conflicts. Defendnot takes advantage of this mechanism by utilizing an undocumented API that security software employs to communicate with the Windows Security Center.
This tool registers a counterfeit antivirus that appears legitimate to the operating system. By using a dummy DLL and injecting it into Task Manager—a trusted Windows process—Defendnot successfully bypasses signature checks and permission blocks. Once the fake antivirus is registered, Windows disables Microsoft Defender without any notification or confirmation, leaving the system vulnerable.
Notably, no security alerts are triggered, and users are not made aware of the unprotected state of their machines unless they conduct a manual check. The tool also offers customizable options, allowing users to set a specific antivirus name, enable logging, and configure automatic startup. It ensures persistence by creating a scheduled task that activates each time the user logs in.
From GitHub takedown to a fresh build
Defendnot is a successor to an earlier project known as No-Defender, which gained notoriety for using code from an actual antivirus product to simulate registration. Following a copyright complaint from the original vendor, the project was removed. In response, the creator of Defendnot rebuilt the core features using original code, thus avoiding copyright issues while demonstrating the ease of manipulating Windows security from within the system.
Currently, Microsoft Defender flags Defendnot as a threat, identifying it under the name Win32/Sabsik.FL.!ml. However, the mere existence of this tool highlights a vulnerability in how Windows manages antivirus registration and trust.
6 ways to protect yourself from malicious programs
While Defendnot serves as a research project, it raises concerns about similar tools that may already exist and could compromise your PC. Here are several strategies to enhance your security:
- Use strong antivirus software: A robust third-party antivirus with real-time protection and frequent updates can provide essential backup security, especially against tools like Defendnot that disable built-in defenses.
- Limit exposure: Many exploits depend on user interaction, such as clicking dubious links or downloading compromised files. Stick to reputable websites and avoid unsolicited email attachments.
- Avoid running unexpected commands: Be cautious when executing commands or scripts from unknown sources, as attackers often trick users into running malware.
- Keep your software updated: Regular updates for your operating system, browsers, and applications are crucial, as they often include patches for security vulnerabilities.
- Use two-factor authentication (2FA): Enabling 2FA on your accounts adds an extra layer of security, making it more difficult for attackers to gain access even if they have your password.
- Invest in personal data removal services: These services help manage your online presence by tracking down and submitting removal requests for your personal information from data brokers, thereby reducing your digital footprint.
