{"id":3244,"date":"2025-05-19T11:30:11","date_gmt":"2025-05-19T11:30:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3244"},"modified":"2025-05-19T11:30:11","modified_gmt":"2025-05-19T11:30:11","slug":"a-spoof-antivirus-makes-windows-defender-disable-security-scans","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3244","title":{"rendered":"A spoof antivirus makes Windows Defender disable security scans"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution\u2013a behavior that threat actors can abuse to run malicious code without detection.<\/p>\n

In a proof-of-concept, a security researcher known as \u201ces3n1n\u201d demonstrated how the Windows Security Center (WSC) API can block scans by Microsoft\u2019s built-in antivirus tool.<\/p>\n

The researcher named their POC tool \u201cdefendnot\u201d and said they had earlier worked on a similar project.<\/p>\n

\u201cAlmost exactly one year ago I released a tool no-defender, a project that was disabling Windows Defender using the special windows api (WSC) made for antivirus to let the system know that there is another antivirus so there is no need to run defender scans,\u201d the researcher said in a blog post<\/a>.<\/p>\n

A Microsoft spokesperson said,\u00a0\u201cThis proof-of-concept tool requires administrator privileges and is detected by our security products. We recommend customers follow best practices, including using roles with the fewest permissions needed and running an up-to-date security solution.\u201d <\/p>\n

Defender was silenced without using any antivirus<\/h2>\n

In their previous project, es3n1n used a third-party code from an existing antivirus to register a fake antivirus program on WSC. However, with Defendnot, they chose to develop a clean, standalone solution without third-party dependencies.<\/p>\n

WSC uses a COM-based API to manage the list of security products (antivirus) on the system. Antivirus software uses this interface to report its status. es3n1n\u2019s task was to manipulate this API<\/a> to register a ghost antivirus that looks legitimate to WSC.<\/p>\n

This wasn\u2019t an easy feat as Windows has checks to ensure the antivirus is real, involving registry names and signed binaries. The researcher used tools like dnSpy, Process Monitor, and manual inspection to see how legitimate antivirus tools behaved when registering with WSC.<\/p>\n

\u201cFrom my last year\u2019s courtesy, I knew that WSC was somehow validating the process that calls these APIs, my guess was that they are validating the signatures, which was indeed a correct guess,\u201d es3n1n added.<\/p>\n

es3n1n\u2019s earlier project, no-defender, was removed from GitHub<\/a> following a DMCA<\/a> takedown request by the software vendor.<\/p>\n

<\/a>Persistent API-level spoofing<\/h2>\n

While WSC is typically guarded by mechanisms like Protected Process Light (PPL) and signature validation, Defendnot sidesteps these barriers by injecting its code into Taskmgr.exe\u2013a system-signed, trusted process. From there, it registers the ghost antivirus entry under a spoofed name.<\/p>\n

Additionally, to ensure it sticks around, defendnot sets up persistence via Windows Task Scheduler, launching itself automatically at login.<\/p>\n

This POC broadly makes three revelations: how security products interact with the OS under the hood, API-level spoofing can trick even trusted components like Defender, and the sole reliance on WSC for AV detection might be risky.<\/p>\n

While Microsoft did not respond to emailed questions by the time of publication, there\u2019s online chatter<\/a> about Microsoft catching up to defendnot and currently flagging the tool as Win32\/Sabsik.FL.!ml\u2013a general heuristic classification used by Defender for potentially malicious or suspicious software.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution\u2013a behavior that threat actors can abuse to run malicious code without detection. In a proof-of-concept, a security researcher known as \u201ces3n1n\u201d demonstrated how the Windows Security Center (WSC) API can block scans by Microsoft\u2019s built-in antivirus tool. The researcher […]<\/p>\n","protected":false},"author":0,"featured_media":3225,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3244","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3244"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3244"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3244\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3225"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}