There's a new tool that's getting people talking: it's called DefendNot and it can disable Microsoft Defender on Windows computers. The funny thing? It does it by making the system believe that there is already another antivirus installed, although in reality there is none.
How does it do it? By using a somewhat technical but very clever trick: it takes advantage of an internal Windows Security Center API, the same one used by real antivirus programs to tell Windows that they are in charge of protecting the computer.
When Windows “thinks” that another antivirus is already working, it automatically shuts down Microsoft Defender to prevent them from clashing with each other. And that's where DefendNot comes in: it tricks the system into shutting down its own antivirus without raising suspicions.
The DefendNot tool, created by the researcher known as es3n1n, does something quite ingenious: it masquerades as a fake antivirus, but so well done that Windows believes it without hesitation. It does this by abusing an internal system API, bypassing all the checks that would normally set off alarm bells.
This idea did not come out of nowhere. In fact, DefendNot is inspired by an earlier project called no-defender, which used parts of real antivirus code to fool Windows. That project, however, had to disappear from GitHub after the company behind the original antivirus sent a legal complaint (a DMCA takedown request).
As the creator himself tells in his blog: "A few weeks after launching no-defender, the project started to gain popularity and reached about 1,500 stars. Then, the developers of the antivirus whose code I used sent a DMCA, and the truth is... I didn't want to complicate things, so I deleted everything and left it there".
Having learned its lesson, DefendNot built itself from scratch, this time without using third-party code. Instead of copying another antivirus, they created their own fake DLL, which complies with everything Windows expects to see.
Now, normally, this API that manages system security is well protected: it requires special processes (called Protected Process Light), valid digital signatures and other security measures. But DefendNot found a way to bypass those barriers: it injects its code inside a trusted system process, such as Taskmgr.exe (the task manager), which is already signed by Microsoft. From there, it can register the fake antivirus without Windows suspecting anything.
The result? As soon as that “phantom antivirus” is registered, Microsoft Defender automatically shuts down, leaving the device without any active protection.
DefendNot registered on a device (Source: BleepingComputer)
DefendNot also comes with a small loader that uses a file called ctx.bin to pass custom settings to it. With that, you can choose the name of the fake antivirus you want to use, disable the log or even enable a detailed log mode to see everything the tool is doing.
And if that wasn't enough, to keep it running every time you turn on the computer, it configures an automatic task in the Windows Task Scheduler. This way, it runs by itself when you log on, without you having to do anything.
Although DefendNot is presented as a research project, it demonstrates how legitimate system functions can be exploited to disable your computer's security. It's a reminder of sorts that even the most trusted tools can be used in unexpected ways.
Luckily, Microsoft Defender is already detecting and blocking DefendNot, flagging it as a threat under the name ‘Win32/Sabsik.FL.!ml’ and quarantining it automatically.