A researcher referred to as es3n1n has developed a tool called Defendnot that is capable of tricking a Windows computer into disabling Microsoft Defender, leaving the device completely unprotected against malware.
By registering a fake antivirus product, Defendnot convinces Microsoft to turn off its built-in antivirus software to keep any conflicts from happening between the two security programs.
As reported by Bleeping Computer, Defendnot can do this even when there is no actual antivirus software installed on the machine by using an undocumented API in the Windows Security Center (WSC) – the same one used by legitimate antivirus software – to inform Windows that it’s properly installed and handling the real-time protection for the system.
Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn't really want to do anything with that so just erased everything and called it a day.
Developer es3n1n in a blog post
Once the registration step is complete, Defender will immediately shut itself off to prevent any issues, leaving the computer without active antivirus protection. The Defendnot tool also includes a loader that passes configuration data through a ctx.bin file, allowing users to set the name of the fake antivirus software to anything they like. Defendnot will create an autorun through the Task Schedule, so it starts when you log in to Windows.
It’s based on a previous project, the researcher called “no-defender,” which laid the groundwork by using code from third-party antivirus software to spoof Windows Security Center registration. However, the vendor of that software filed a DMCA takedown request, which resulted in it being pulled from GitHub.
Defendnot, on the other hand, learned from this and built the anti-virus functionality from scratch through a dummy DLL, which causes no copyright infringement. It injects a DLL into a Microsoft system process, Taskmgr.exe, which is signed and already trusted. Within this process, it can register the dummy antivirus with any spoofed display name.
Though it is a research project, Defendnot demonstrates how easy it can be to turn trusted system features into security issues; currently, Microsoft Defender is detecting and quarantining Defendnot as a trojan based on its own machine learning algorithm.
How to stay safe
Because Defendnot is a research project — and has already been quarantined by Defender — it is not putting any particular systems at risk currently. There are also no details about how Defendnot may operate on a computer that is running a third-party antivirus software in addition to Windows Defender.
That being said, users who want the best level of protection for their Windows PCs should always use one of the best antivirus software programs and the built-in protection provided by Windows Defender. These security suites usually provide excellent malware protection and added features like parental controls, a VPN, and a password manager that can help keep you safe while online.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
