A new tool called βDefendnotβ can disable Microsoft Defender on Windows devices by registering a fake antivirus product using an undocumented API, even without a real antivirus installed. It demonstrates how system features can be exploited to turn off built-in security protections.
Affected: Windows devices, Microsoft Defender system
Keypoints
- Defendnot exploits an undocumented Windows Security Center (WSC) API to register a fake antivirus.
- The tool causes Microsoft Defender to disable itself once the dummy antivirus is registered.
- It injects a trusted DLL into a system process to bypass security protections like Protected Process Light (PPL).
- Defendnot can be configured to set custom antivirus names, turn registration on or off, and enable logging.
- The tool creates persistence by setting up an autorun via Windows Task Scheduler.