Connect with us

News

Hacker Tool ‘Defendnot’ Can Silently Shut Down Microsoft Defender With a Fake Antivirus

Published

on

A new security tool is making waves for all the wrong reasons. It’s called Defendnot, and it can switch off Microsoft Defender on Windows machines by faking the presence of another antivirus—without actually installing one.

That might not sound like a big deal at first, but here’s the kicker: it uses a legit, though undocumented, Windows API to pull it off. And Microsoft Defender doesn’t even blink. It just turns itself off. Like it’s being polite.

How It Works: The API Microsoft Doesn’t Talk About

At the heart of this quiet trick is the Windows Security Center (WSC) API. It’s not well documented publicly, but antivirus vendors know it well. It’s how security software registers itself with Windows.

Once WSC sees a new AV program installed, it tells Defender to stand down. No questions asked.

Defendnot piggybacks on that. Created by researcher es3n1n, it acts like it’s a real antivirus program. It registers with WSC, checks all the boxes, and—boom—Defender exits the stage.

There’s no real antivirus running. No alerts. Just silence.

windows-security-center-api-microsoft-defender

From DMCA Drama to DIY Malware Tools

This isn’t es3n1n’s first rodeo. Defendnot is actually a rework of an earlier project, a tool called no-defender. That one borrowed parts of a legitimate antivirus to pass off as a trusted program. It worked brilliantly—until the original software vendor saw it.

  • The project got 1.5k GitHub stars

  • Then it got a DMCA takedown

  • So the creator just deleted everything and moved on

Defendnot skips that legal mess by building everything from scratch. It uses a homemade dummy DLL to act like antivirus software. No stolen code. No copyrights violated.

Cracking Windows’ Security Without Breaking It

Normally, Microsoft defends Defender with layers of protection. We’re talking about things like:

  • Protected Process Light (PPL)

  • Digitally signed binaries

  • API restrictions

But Defendnot doesn’t fight those. It slides around them. Here’s how:

  1. It injects its DLL into Taskmgr.exe, a process that’s already trusted by Windows.

  2. From inside that process, it registers a spoofed antivirus name.

  3. Defender sees it, shrugs, and turns itself off.

It’s like someone sneaking past a bouncer by wearing the right badge. Nothing flashy—just sneaky.

Configuration, Logging, and Persistence—Yes, It Has All That

This isn’t a one-trick pony. Defendnot comes with its own loader, and it uses a configuration file—ctx.bin—to manage its behavior.

Here’s what it can do:

  • Set any antivirus display name you like

  • Turn on or off the spoof registration

  • Enable verbose logs so you can see what’s going on under the hood

And of course, it sticks around. It adds itself to Windows Task Scheduler so that it runs every time you log in. No need to click anything. It’s already there, waiting.

Even if Defender tries to re-enable itself, Defendnot’s already queued up to knock it back down again.

Defender’s Response: A Bit Late to the Party

Right now, Microsoft Defender is catching up. It’s flagging Defendnot under the detection name 'Win32/Sabsik.FL.!ml'. If you try to run it now, there’s a good chance it’ll get quarantined.

But that assumes Defender is still running.

And therein lies the real risk.

By the time Microsoft adds a detection, the damage may already be done. If an attacker uses Defendnot to disable Defender first, then launches another payload, Windows is defenseless—literally. There’s no second layer of protection.

Just an empty seat where Defender used to be.

Bigger Picture: When Trusted APIs Turn Against You

This isn’t some sophisticated malware using 0-days or kernel exploits. It’s worse in a way. It uses Windows’ own trust mechanisms—the same ones antivirus developers rely on.

And that makes it tricky to solve.

You can’t just block the WSC API. Real antivirus tools need it. And you can’t block Taskmgr.exe either. It’s a core system tool.

In short, Windows built a door for security software. Defendnot just walked through it—with a fake ID.

Here’s a quick look at how Defendnot’s technique stacks up:

FeatureWhat Defendnot Does
API UsedWindows Security Center (WSC) API
Protection Bypass MethodDLL injection into Taskmgr.exe
Registration MethodFake AV registration using dummy DLL
PersistenceTask Scheduler autorun
Detection by DefenderYes, flagged as Win32/Sabsik.FL.!ml
Exploit ComplexityModerate (no kernel exploits needed)
Legal RiskAvoids DMCA by using original code

The whole situation is a bit unsettling. Security features meant to protect users are being twisted in ways most people—and even many sysadmins—don’t expect.

Stephon Brody is a writer who is good at movies, sports, technology, and health related articles. He is passionate about sharing his knowledge and opinions on various topics that interest him and his audience. He is a creative and reliable writer who can deliver engaging and informative articles to his readers.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

TRENDING