Defendnot utility disables Microsoft Defender in Windows

📟 News

Date: 20/05/2025

A new tool called Defendnot can disable Microsoft Defender protection on Windows devices even if no real antiviruses are installed in the system.

Defendnot has been developed by an IT researcher known as Arsenii es3n1n. The utility abuses an undocumented WSC API by registering a fake antivirus product in the system that can pass all Windows checks.

Antivirus software uses WSC API to notify Windows that it’s installed and is currently protecting the device in real time. Once the antivirus software is registered, Windows automatically disables Microsoft Defender to avoid conflicts inevitable if multiple security solutions are running on the same device.

The new tool is based on the previous es3n1n’s project called no-defender: it used code borrowed from a third-party antivirus product to spoof WSC registration. The previous tool was removed from GitHub following a complaint filed by the antivirus vendor.

“Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day,” – es3n1n’s Blog.

Defendnot shouldn’t have any copyright issues since its functionality has been created from scratch and is based on a fake antivirus DLL.

WSC APIs are usually protected with such mechanisms as Protected Process Light (PPL), valid digital signatures, etc. To circumvent such requirements, Defendnot injects its DLL into the Taskmgr.exe system process, which is signed and hence trusted by Microsoft. From this process, it can register a fake antivirus with a fictitious name.

After registering the fake antivirus product, Microsoft Defender is immediately disabled, thus, leaving the device without active protection.

In addition, the utility includes a loader that passes configuration data in the ctx.bin file and makes it possible to specify the name of the allegedly installed antivirus, disable registration, and enable detailed logging.

“Sadly, to keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk :(” – Arsenii es3n1n.

It must be noted that the current Defendnot version is detected by Microsoft Defender and quarantined as Win32/Sabsik.FL.!ml.

Related posts:
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti

A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…

Full article →