Defendnot has been developed by an IT researcher known as Arsenii es3n1n. The utility abuses an undocumented WSC API by registering a fake antivirus product in the system that can pass all Windows checks.
Antivirus software uses WSC API to notify Windows that it’s installed and is currently protecting the device in real time. Once the antivirus software is registered, Windows automatically disables Microsoft Defender to avoid conflicts inevitable if multiple security solutions are running on the same device.
The new tool is based on the previous es3n1n’s project called no-defender: it used code borrowed from a third-party antivirus product to spoof WSC registration. The previous tool was removed from GitHub following a complaint filed by the antivirus vendor.
“Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day,” – es3n1n’s Blog.
Defendnot shouldn’t have any copyright issues since its functionality has been created from scratch and is based on a fake antivirus DLL.
WSC APIs are usually protected with such mechanisms as Protected Process Light (PPL), valid digital signatures, etc. To circumvent such requirements, Defendnot injects its DLL into the Taskmgr.exe system process, which is signed and hence trusted by Microsoft. From this process, it can register a fake antivirus with a fictitious name.
After registering the fake antivirus product, Microsoft Defender is immediately disabled, thus, leaving the device without active protection.
In addition, the utility includes a loader that passes configuration data in the ctx.bin file and makes it possible to specify the name of the allegedly installed antivirus, disable registration, and enable detailed logging.
“Sadly, to keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk :(” – Arsenii es3n1n.
It must be noted that the current Defendnot version is detected by Microsoft Defender and quarantined as Win32/Sabsik.FL.!ml.
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →