Defendnot, a sophisticated new tool that effectively disables Windows Defender by exploiting the Windows Security Center (WSC) API to register itself as a legitimate antivirus solution.\u00a0<\/p>\n
The Windows Security Center service is designed to ensure Windows computers maintain adequate security protection.\u00a0<\/p>\n
When third-party antivirus software<\/a> is installed, it registers with WSC, which then automatically disables Windows Defender to prevent conflicts.<\/p>\n Developed by a GitHub developer known as \u201ces3n1n\u201d, the tool is noteworthy for its direct interaction with WSC without relying on code from existing antivirus products.<\/p>\n This release comes approximately one year after the developer\u2019s previous tool, \u201cno-defender,\u201d was removed following a DMCA takedown request.<\/p>\n \u201cThere\u2019s a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there\u2019s some other antivirus in the hood and it should disable Windows Defender,\u201d the developer shared in a report<\/a> with Cyber Security News.\u00a0<\/p>\n \u201cThis WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation.\u201d<\/p>\n According to the developer\u2019s detailed blog post, creating defendnot involved extensive reverse engineering of the WSC service and identifying the process validation mechanisms Microsoft employs.\u00a0<\/p>\n The project faced significant technical challenges, including understanding how WSC validates calling processes before allowing them to register as antivirus solutions.<\/p>\n A critical discovery was that WSC performs checks on processes attempting to register, including verifying the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header and examining digital signatures.\u00a0<\/p>\n The Task Manager (Taskmgr.exe) met these requirements and could be used as a \u201cvictim process\u201d to host the defendnot code.<\/p>\n The tool uses COM interfaces to interact with WSC, registering a phantom antivirus product. When Windows detects this \u201cantivirus,\u201d it automatically disables its built-in protection.\u00a0<\/p>\n Security researcher Will Dormann highlighted the tool on social media, noting that it \u201cuses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender<\/a>.\u201d<\/p>\n Technically, defendnot implements interfaces such as IWSCProductList to interact with WSC and utilizes undocumented Windows API<\/a>s that Microsoft typically only shares with certified antivirus vendors through their Microsoft Virus Initiative (MVI) program under NDA.<\/p>\n The tool includes several commands:<\/p>\n One limitation noted by the developer is that \u201cto keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk.\u201d<\/p>\n While the tool demonstrates impressive technical knowledge and reverse engineering<\/a> skills, security experts caution that such utilities could potentially be misused by malware authors seeking to disable security protections.\u00a0<\/p>\n However, it\u2019s worth noting that defendnot requires administrative privileges to function, limiting its potential for covert deployment.<\/p>\n For security researchers and administrators, this tool provides valuable insights into how Windows manages security product integration and highlights potential areas where Microsoft\u2019s security architecture could be strengthened to prevent similar bypasses in the future.<\/p>\n Setting Up SOC Team? \u2013 Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team ->\u00a0<\/strong><\/strong>Free Download<\/strong><\/a><\/p>\n The post Defendnot \u2014 A New Tool That Disables Windows Defender by Posing as an Antivirus Solution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\nDefendnot<\/strong> Disable Windows Defender<\/strong>
\n<\/h2>\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXf70dWboPS_Ykd-5XbYz5nk8x3dwbh0NUmhRgV6xnH93CehY9cuTOKoufc3lOenoWwK2P5B381MMwpdjGMbM5sD5ri0lIZR36UnKEIcZLy2Fu6NNlGkYes_Ls2RsNRzEkK1iQyuaA?key=0BNoEev6JG98uaaa0QBStQ\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcW_BpcXOx6J227KvMA2z9UxLn1Y2R7Ke7IYvpbfEfC_4fy4HcURL_o-009Ti1pZafOfoMj4czxwhhHcir-5QH9bX6ne3QRw1qt5fRMTM14TJFTcQP3uz978ExNIctmKYEEyqFjBQ?key=0BNoEev6JG98uaaa0QBStQ\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXd05dWYdAZq-xO5fr-8ROXlkCSA0BP-4hGk1LqlhHFmM7kSZfwQuBGlwp9XTDw3vJBH9f2xK2s25_T2Wu7-qzSIjtkhv5N1-iNlm-YYahDDO-7QReIjM-tL5-JqVUOOybF1H8sNEw?key=0BNoEev6JG98uaaa0QBStQ\")