Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution–a behavior that threat actors can abuse to run malicious code without detection.
In a proof-of-concept, a security researcher known as “es3n1n” demonstrated how the Windows Security Center (WSC) API can block scans by Microsoft’s built-in antivirus tool.
The researcher named their POC tool “defendnot” and said they had earlier worked on a similar project.
“Almost exactly one year ago I released a tool no-defender, a project that was disabling Windows Defender using the special windows api (WSC) made for antivirus to let the system know that there is another antivirus so there is no need to run defender scans,” the researcher said in a blog post.
Defender was silenced without using any antivirus
In their previous project, es3n1n used a third-party code from an existing antivirus to register a fake antivirus program on WSC. However, with Defendnot, they chose to develop a clean, standalone solution without third-party dependencies.
WSC uses a COM-based API to manage the list of security products (antivirus) on the system. Antivirus software uses this interface to report its status. es3n1n’s task was to manipulate this API to register a ghost antivirus that looks legitimate to WSC.
This wasn’t an easy feat as Windows has checks to ensure the antivirus is real, involving registry names and signed binaries. The researcher used tools like dnSpy, Process Monitor, and manual inspection to see how legitimate antivirus tools behaved when registering with WSC.
“From my last year’s courtesy, I knew that WSC was somehow validating the process that calls these APIs, my guess was that they are validating the signatures, which was indeed a correct guess,” es3n1n added.
es3n1n’s earlier project, no-defender, was removed from GitHub following a DMCA takedown request by the software vendor.
Persistent API-level spoofing
While WSC is typically guarded by mechanisms like Protected Process Light (PPL) and signature validation, Defendnot sidesteps these barriers by injecting its code into Taskmgr.exe–a system-signed, trusted process. From there, it registers the ghost antivirus entry under a spoofed name.
Additionally, to ensure it sticks around, defendnot sets up persistence via Windows Task Scheduler, launching itself automatically at login.
This POC broadly makes three revelations: how security products interact with the OS under the hood, API-level spoofing can trick even trusted components like Defender, and the sole reliance on WSC for AV detection might be risky.
While Microsoft did not respond to emailed questions by the time of publication, there’s online chatter about Microsoft catching up to defendnot and currently flagging the tool as Win32/Sabsik.FL.!ml–a general heuristic classification used by Defender for potentially malicious or suspicious software.
No Responses