Recommended reading

Hackers can turn off Windows Defender with this sneaky new tool

News
By published

Defendnot is a white-hat tool for disabling AV solutions

A robot hand touching a locked digital shield blocking a human from accessing data
(Image credit: Blue Planet Studio/Shutterstock)
  • A security researcher built a program that the OS sees as an antivirus
  • Since two AV programs can't run at the same time, Windows Defender turns itself off
  • Previous iteration was taken down for copyright infringment

Hackers can now easily turn off your Windows Defender program by registering a fake antivirus on your computer. To do that, they use a new tool called Defendnot, recently released by a security researcher with the alias es3n1n.

As they explained, Defendnot leverages a previously undocumented Windows Security Center (WSC) API, which third-party antivirus programs use to tell the operating system if they're running on the device or not.

Usually, two or more antivirus programs cannot run on a single device at the same time due to various conflicts. As a result, Windows Defender disables itself automatically, when it learns that another antivirus has been installed.

60% off for Techradar readers

60% off for Techradar readers

With Aura's parental control software, you can filter, block, and monitor websites and apps, set screen time limits. Parents will also receive breach alerts, Dark Web monitoring, VPN protection, and antivirus.

Preferred partner (What does this mean?)

View Deal

Spotted by Defender

According to BleepingComputer, this is the researcher’s second attempt at building this type of solution. The original program, which “blew up” and went viral soon after its release, was taken down after a Digital Millennium Copyright Act request. As it turns out, es3n1n used code from a third-party antivirus product to spoof registration with WSC for a program they named no-defender.

This apparently did not sit well with the developers of that third-party solution, which subsequently demanded that es3n1n take the program down.

After the takedown, the researcher built Defendnot with a dummy antivirus DLL from scratch. It also comes with an autorun feature, allowing it to start automatically as soon as the user logs into Windows.

Obviously, the tool was not designed to be used in a malicious way, but it’s safe to assume it will be abused (or threat actors could simply create their own versions). In the past, threat actors were seen deploying various tactics to turn off people’s antivirus programs, such as abusing admin rights, tampering with the registry, blocking updates, installing fake antivirus software, or exploiting various flaws in third-party solutions.

Luckily, Microsoft Defender can now detect and quarantine Defendnot as a 'Win32/Sabsik.FL.!ml;.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.