Microsoft Defender could be disabled using the new "Defendnot" tool, which exploits an undocumented Windows Security Center API to register a bogus antivirus product that circumvents Windows' verification process, BleepingComputer reports.
Developed by cybersecurity researcher es3n1n, Defendnot bypasses WSC API's defenses, such as Protected Process Light and valid digital signatures, by facilitating DLL injection into the Taskmgr.exe process, from which the fake antivirus software will be registered. Defendnot also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Defendnot, which is being tracked and quarantined as 'Win32/Sabsik.FL.!ml', was noted as a replacement for the older no-defender tool, which had been taken down from GitHub following a DMCA takedown. "[A]fter a few weeks after the release [of no-defender], the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn't really want to do anything with that so just erased everything and called it a day," said es3n1n.
Developed by cybersecurity researcher es3n1n, Defendnot bypasses WSC API's defenses, such as Protected Process Light and valid digital signatures, by facilitating DLL injection into the Taskmgr.exe process, from which the fake antivirus software will be registered. Defendnot also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Defendnot, which is being tracked and quarantined as 'Win32/Sabsik.FL.!ml', was noted as a replacement for the older no-defender tool, which had been taken down from GitHub following a DMCA takedown. "[A]fter a few weeks after the release [of no-defender], the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn't really want to do anything with that so just erased everything and called it a day," said es3n1n.
