Defendnot has been developed by an IT researcher known as Arsenii es3n1n. The utility abuses an undocumented WSC API by registering a fake antivirus product in the system that can pass all Windows checks.
Antivirus software uses WSC API to notify Windows that it’s installed and is currently protecting the device in real time. Once the antivirus software is registered, Windows automatically disables Microsoft Defender to avoid conflicts inevitable if multiple security solutions are running on the same device.
The new tool is based on the previous es3n1n’s project called no-defender: it used code borrowed from a third-party antivirus product to spoof WSC registration. The previous tool was removed from GitHub following a complaint filed by the antivirus vendor.
“Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day,” – es3n1n’s Blog.
Defendnot shouldn’t have any copyright issues since its functionality has been created from scratch and is based on a fake antivirus DLL.
WSC APIs are usually protected with such mechanisms as Protected Process Light (PPL), valid digital signatures, etc. To circumvent such requirements, Defendnot injects its DLL into the Taskmgr.exe system process, which is signed and hence trusted by Microsoft. From this process, it can register a fake antivirus with a fictitious name.
After registering the fake antivirus product, Microsoft Defender is immediately disabled, thus, leaving the device without active protection.
In addition, the utility includes a loader that passes configuration data in the ctx.bin file and makes it possible to specify the name of the allegedly installed antivirus, disable registration, and enable detailed logging.
“Sadly, to keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk :(” – Arsenii es3n1n.
It must be noted that the current Defendnot version is detected by Microsoft Defender and quarantined as Win32/Sabsik.FL.!ml.
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →