Introduction of ‘Defendnot’ Tool Manipulates Windows to Deactivate Microsoft Defender
A new tool, ‘Defendnot,’ has emerged, capable of disabling Microsoft Defender on Windows systems by masquerading as a legitimate antivirus application, even in the absence of actual antivirus software. This tool leverages an undocumented Windows Security Center (WSC) API that antivirus applications utilize to inform Windows about their installation status and the activation of real-time protection services.
When a legitimate antivirus software registers itself, Microsoft Defender is automatically disabled to prevent potential conflicts from operating multiple security solutions simultaneously on the same device.
Developed by researcher es3n1n, Defendnot exploits this API by registering a counterfeit antivirus product that satisfies all validation checks performed by Windows. This initiative builds on a previous project called no-defender, which had to be discontinued due to a DMCA takedown request following its rapid popularity—garnering approximately 1,500 stars on GitHub shortly after its release.
To circumvent copyright concerns, the Defendnot tool was architected from the ground up, utilizing a dummy antivirus dynamic link library (DLL). Normally, access to the WSC API is restricted via Protected Process Light (PPL) and valid digital signatures, along with other safeguards. Defendnot navigates these security measures by injecting its DLL into the Taskmgr.exe system process, which possesses a valid Microsoft signature. By executing within this trusted process, Defendnot can successfully register its fabricated antivirus with a spoofed display name.
Once this registration process is complete, Microsoft Defender shuts down its services, leaving the device unprotected.
The tool also comprises a loader that facilitates configuration through a ctx.bin file, allowing users to designate the name of the counterfeit antivirus, disable registration, and activate verbose logging features. Additionally, for persistent operation, Defendnot establishes an autorun entry using Windows Task Scheduler, ensuring it launches with every user login.
Despite being classified as a research tool, Defendnot serves as a troubling example of how trusted system functionalities can be manipulated to disable critical security mechanisms. Presently, Microsoft Defender recognizes and quarantines Defendnot, labeling it as a ‘Win32/Sabsik.FL.!ml’ infection.
A new tool, ‘Defendnot,’ has emerged, capable of disabling Microsoft Defender on Windows systems by masquerading as a legitimate antivirus…
In a noteworthy development, the Australian individual known as “DR32” received his sentencing this week in a federal court located…
When deciding between HubSpot and Salesforce, it’s essential to carefully evaluate your business needs, current infrastructure, and long-term growth objectives….
The iClicker website, a widely used platform for student engagement, fell victim to a sophisticated ClickFix attack targeting students and…
Check Point’s April 2025 malware report highlights an alarming trend characterized by the growing sophistication and obfuscation of cyberattacks. The…
ChatGPT’s Deep Research feature, which facilitates in-depth research for complex tasks, is set to introduce a long-awaited functionality: the option…
Scammers are leveraging counterfeit artificial intelligence tools and Facebook advertisements to disseminate Noodlophile Stealer malware, specifically targeting users through deception…
A new malware threat named LOSTKEYS has been identified by Google’s Threat Intelligence Group (GTIG) as part of a series…
Kickidler Employee Monitoring Software Misused in Ransomware Operations Ransomware groups have increasingly repurposed legitimate Kickidler employee monitoring software for malicious…