News
Hacker Tool ‘Defendnot’ Can Silently Shut Down Microsoft Defender With a Fake Antivirus
A new security tool is making waves for all the wrong reasons. It’s called Defendnot, and it can switch off Microsoft Defender on Windows machines by faking the presence of another antivirus—without actually installing one.
That might not sound like a big deal at first, but here’s the kicker: it uses a legit, though undocumented, Windows API to pull it off. And Microsoft Defender doesn’t even blink. It just turns itself off. Like it’s being polite.
How It Works: The API Microsoft Doesn’t Talk About
At the heart of this quiet trick is the Windows Security Center (WSC) API. It’s not well documented publicly, but antivirus vendors know it well. It’s how security software registers itself with Windows.
Once WSC sees a new AV program installed, it tells Defender to stand down. No questions asked.
Defendnot piggybacks on that. Created by researcher es3n1n, it acts like it’s a real antivirus program. It registers with WSC, checks all the boxes, and—boom—Defender exits the stage.
There’s no real antivirus running. No alerts. Just silence.
From DMCA Drama to DIY Malware Tools
This isn’t es3n1n’s first rodeo. Defendnot is actually a rework of an earlier project, a tool called no-defender. That one borrowed parts of a legitimate antivirus to pass off as a trusted program. It worked brilliantly—until the original software vendor saw it.
The project got 1.5k GitHub stars
Then it got a DMCA takedown
So the creator just deleted everything and moved on
Defendnot skips that legal mess by building everything from scratch. It uses a homemade dummy DLL to act like antivirus software. No stolen code. No copyrights violated.
Cracking Windows’ Security Without Breaking It
Normally, Microsoft defends Defender with layers of protection. We’re talking about things like:
Protected Process Light (PPL)
Digitally signed binaries
API restrictions
But Defendnot doesn’t fight those. It slides around them. Here’s how:
It injects its DLL into Taskmgr.exe, a process that’s already trusted by Windows.
From inside that process, it registers a spoofed antivirus name.
Defender sees it, shrugs, and turns itself off.
It’s like someone sneaking past a bouncer by wearing the right badge. Nothing flashy—just sneaky.
Configuration, Logging, and Persistence—Yes, It Has All That
This isn’t a one-trick pony. Defendnot comes with its own loader, and it uses a configuration file—ctx.bin
—to manage its behavior.
Here’s what it can do:
Set any antivirus display name you like
Turn on or off the spoof registration
Enable verbose logs so you can see what’s going on under the hood
And of course, it sticks around. It adds itself to Windows Task Scheduler so that it runs every time you log in. No need to click anything. It’s already there, waiting.
Even if Defender tries to re-enable itself, Defendnot’s already queued up to knock it back down again.
Defender’s Response: A Bit Late to the Party
Right now, Microsoft Defender is catching up. It’s flagging Defendnot under the detection name 'Win32/Sabsik.FL.!ml'
. If you try to run it now, there’s a good chance it’ll get quarantined.
But that assumes Defender is still running.
And therein lies the real risk.
By the time Microsoft adds a detection, the damage may already be done. If an attacker uses Defendnot to disable Defender first, then launches another payload, Windows is defenseless—literally. There’s no second layer of protection.
Just an empty seat where Defender used to be.
Bigger Picture: When Trusted APIs Turn Against You
This isn’t some sophisticated malware using 0-days or kernel exploits. It’s worse in a way. It uses Windows’ own trust mechanisms—the same ones antivirus developers rely on.
And that makes it tricky to solve.
You can’t just block the WSC API. Real antivirus tools need it. And you can’t block Taskmgr.exe either. It’s a core system tool.
In short, Windows built a door for security software. Defendnot just walked through it—with a fake ID.
Here’s a quick look at how Defendnot’s technique stacks up:
Feature | What Defendnot Does |
---|---|
API Used | Windows Security Center (WSC) API |
Protection Bypass Method | DLL injection into Taskmgr.exe |
Registration Method | Fake AV registration using dummy DLL |
Persistence | Task Scheduler autorun |
Detection by Defender | Yes, flagged as Win32/Sabsik.FL.!ml |
Exploit Complexity | Moderate (no kernel exploits needed) |
Legal Risk | Avoids DMCA by using original code |
The whole situation is a bit unsettling. Security features meant to protect users are being twisted in ways most people—and even many sysadmins—don’t expect.