Defendnot has been developed by an IT researcher known as Arsenii es3n1n. The utility abuses an undocumented WSC API by registering a fake antivirus product in the system that can pass all Windows checks.
Antivirus software uses WSC API to notify Windows that it’s installed and is currently protecting the device in real time. Once the antivirus software is registered, Windows automatically disables Microsoft Defender to avoid conflicts inevitable if multiple security solutions are running on the same device.
The new tool is based on the previous es3n1n’s project called no-defender: it used code borrowed from a third-party antivirus product to spoof WSC registration. The previous tool was removed from GitHub following a complaint filed by the antivirus vendor.
“Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day,” – es3n1n’s Blog.
Defendnot shouldn’t have any copyright issues since its functionality has been created from scratch and is based on a fake antivirus DLL.
WSC APIs are usually protected with such mechanisms as Protected Process Light (PPL), valid digital signatures, etc. To circumvent such requirements, Defendnot injects its DLL into the Taskmgr.exe system process, which is signed and hence trusted by Microsoft. From this process, it can register a fake antivirus with a fictitious name.
After registering the fake antivirus product, Microsoft Defender is immediately disabled, thus, leaving the device without active protection.
In addition, the utility includes a loader that passes configuration data in the ctx.bin file and makes it possible to specify the name of the allegedly installed antivirus, disable registration, and enable detailed logging.
“Sadly, to keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk :(” – Arsenii es3n1n.
It must be noted that the current Defendnot version is detected by Microsoft Defender and quarantined as Win32/Sabsik.FL.!ml.
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →