Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/

ONE SENTENCE SUMMARY:

The Defendnot tool exploits an undocumented Windows API to disable Microsoft Defender by registering a fake antivirus product.

MAIN POINTS:

1. Defendnot disables Microsoft Defender by registering a fake antivirus using Windows Security Center API.
2. Windows disables Defender automatically when another antivirus registers to prevent security conflicts.
3. Researcher es3n1n developed Defendnot based on an earlier project called no-defender.
4. The earlier no-defender tool was removed from GitHub due to a DMCA copyright claim.
5. Defendnot avoids legal issues by using a self-built dummy antivirus DLL rather than third-party code.
6. Protected Process Light (PPL) and digital signatures normally safeguard the WSC API.
7. Defendnot bypasses security by injecting its DLL into the trusted Microsoft-signed Taskmgr.exe process.
8. The tool supports configuration via ctx.bin file, custom antivirus names, and verbose logging.
9. Defendnot achieves persistence by creating an autorun entry in Windows Task Scheduler.
10. Microsoft Defender identifies and quarantines Defendnot as ‘Win32/Sabsik.FL.!ml’.

TAKEAWAYS:

1. Windows Security Center API can be manipulated to disable built-in security defenses.
2. Trusted processes like Task Manager can be exploited to bypass Windows security protections.
3. Persistence mechanisms via Task Scheduler highlight the importance of monitoring scheduled tasks.
4. Microsoft Defender actively detects and blocks Defendnot, signaling ongoing defender capabilities.
5. Security teams should be aware of undocumented APIs and regularly audit registered antivirus products.