Source: BleepingComputer
Author: Lawrence Abrams
URL: https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/
-
ONE SENTENCE SUMMARY: The Defendnot tool exploits an undocumented Windows API to disable Microsoft Defender by registering a fake antivirus product.
-
MAIN POINTS:
-
Defendnot disables Microsoft Defender by registering a fake antivirus using Windows Security Center API.
-
Windows disables Defender automatically when another antivirus registers to prevent security conflicts.
-
Researcher es3n1n developed Defendnot based on an earlier project called no-defender.
-
The earlier no-defender tool was removed from GitHub due to a DMCA copyright claim.
-
Defendnot avoids legal issues by using a self-built dummy antivirus DLL rather than third-party code.
-
Protected Process Light (PPL) and digital signatures normally safeguard the WSC API.
-
Defendnot bypasses security by injecting its DLL into the trusted Microsoft-signed Taskmgr.exe process.
-
The tool supports configuration via ctx.bin file, custom antivirus names, and verbose logging.
-
Defendnot achieves persistence by creating an autorun entry in Windows Task Scheduler.
-
Microsoft Defender identifies and quarantines Defendnot as ‘Win32/Sabsik.FL.!ml’.
-
TAKEAWAYS:
-
Windows Security Center API can be manipulated to disable built-in security defenses.
-
Trusted processes like Task Manager can be exploited to bypass Windows security protections.
-
Persistence mechanisms via Task Scheduler highlight the importance of monitoring scheduled tasks.
-
Microsoft Defender actively detects and blocks Defendnot, signaling ongoing defender capabilities.
-
Security teams should be aware of undocumented APIs and regularly audit registered antivirus products.