Defendnot utility disables Microsoft Defender in Windows

📟 News

Date: 20/05/2025

A new tool called Defendnot can disable Microsoft Defender protection on Windows devices even if no real antiviruses are installed in the system.

Defendnot has been developed by an IT researcher known as Arsenii es3n1n. The utility abuses an undocumented WSC API by registering a fake antivirus product in the system that can pass all Windows checks.

Antivirus software uses WSC API to notify Windows that it’s installed and is currently protecting the device in real time. Once the antivirus software is registered, Windows automatically disables Microsoft Defender to avoid conflicts inevitable if multiple security solutions are running on the same device.

The new tool is based on the previous es3n1n’s project called no-defender: it used code borrowed from a third-party antivirus product to spoof WSC registration. The previous tool was removed from GitHub following a complaint filed by the antivirus vendor.

“Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day,” – es3n1n’s Blog.

Defendnot shouldn’t have any copyright issues since its functionality has been created from scratch and is based on a fake antivirus DLL.

WSC APIs are usually protected with such mechanisms as Protected Process Light (PPL), valid digital signatures, etc. To circumvent such requirements, Defendnot injects its DLL into the Taskmgr.exe system process, which is signed and hence trusted by Microsoft. From this process, it can register a fake antivirus with a fictitious name.

After registering the fake antivirus product, Microsoft Defender is immediately disabled, thus, leaving the device without active protection.

In addition, the utility includes a loader that passes configuration data in the ctx.bin file and makes it possible to specify the name of the allegedly installed antivirus, disable registration, and enable detailed logging.

“Sadly, to keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk :(” – Arsenii es3n1n.

It must be noted that the current Defendnot version is detected by Microsoft Defender and quarantined as Win32/Sabsik.FL.!ml.

Related posts:
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →