Tool tricks Windows, switches off Microsoft Defender
A new tool called Defendnot makes it possible to deactivate Windows Defender by registering a fake antivirus program. An undocumented Windows API is used, which raises questions about the safety of the operating system.
Dangerous gap in the Windows Security Center
A security researcher has uncovered a troubling weak point in the Windows security system. The new “Defendnot” tool uses an undocumented interface of the Windows Security Center (WSC) to pretend the operating system that an alternative antivirus program is installed.
This in turn means that Windows Defender automatically deactivates itself. The reason for this behavior lies in the basic Windows architecture: the system prevents the simultaneous operation of several antivirus programs in order to avoid conflicts. As soon as an alternative antivirus software is recognized, Windows Defender switches off automatically. How Bleeping computer reports, Defendnot avoids the usual security precautions such as Protected Process Light (PPL) and digital signatures by inserting its code into the trustworthy Windows-Task Manager (Taskmgr.exe). This technique, known as “Process Injection”, is an approach that is often used by malware to avoid security mechanisms.
Second attempt to Takedown
Defendnot is already the second attempt by the developer with the pseudonym ES3N1N. His previous project “NO-Defender” had to be withdrawn after a DMCA complaint because it used code of a third-party antivirus program. The new version, on the other hand, was completely newly developed. The tool uses the fact that Windows has implemented a central security center since Vista that monitors the status of all security components.
This architecture should originally improve security by offering a uniform overview of all protective measures. Ironically, this function is now being exploited to weaken the protection. For additional persistence, the tool sets up an automatic start via the Windows Task Scheduler, which is activated with every login. This method is particularly problematic because it ensures that protection remains deactivated even after a restart.
Microsoft’s reaction
Microsoft has already reacted and classified defend lack as a trojan. The current version of Windows Defender automatically recognizes the software using machine learning algorithms and sets them under quarantine. Security experts point out that such tools are developed for research purposes, but can easily be misused by cybercriminals.
The publication of such weak points follows a controversial principle of “responsible disclosure”, in which security gaps are made public in order to exert pressure on manufacturers, to remedy them as quickly as possible.
Research Snipers is currently covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More. Research Snipers has decade of experience in breaking technology news, covering latest trends in tech news, and recent developments.
