- A security researcher built a program that the OS sees as an antivirus
- Since two AV programs can’t run at the same time, Windows Defender turns itself off
- Previous iteration was taken down for copyright infringment
Hackers can now easily turn off your Windows Defender program by registering a fake antivirus on your computer. To do that, they use a new tool called Defendnot, recently released by a security researcher with the alias es3n1n.
As they explained, Defendnot leverages a previously undocumented Windows Security Center (WSC) API, which third-party antivirus programs use to tell the operating system if they’re running on the device or not.
Usually, two or more antivirus programs cannot run on a single device at the same time due to various conflicts. As a result, Windows Defender disables itself automatically, when it learns that another antivirus has been installed.
Spotted by Defender
According to BleepingComputer, this is the researcher’s second attempt at building this type of solution. The original program, which “blew up” and went viral soon after its release, was taken down after a Digital Millennium Copyright Act request. As it turns out, es3n1n used code from a third-party antivirus product to spoof registration with WSC for a program they named no-defender.
This apparently did not sit well with the developers of that third-party solution, which subsequently demanded that es3n1n take the program down.
After the takedown, the researcher built Defendnot with a dummy antivirus DLL from scratch. It also comes with an autorun feature, allowing it to start automatically as soon as the user logs into Windows.
Obviously, the tool was not designed to be used in a malicious way, but it’s safe to assume it will be abused (or threat actors could simply create their own versions). In the past, threat actors were seen deploying various tactics to turn off people’s antivirus programs, such as abusing admin rights, tampering with the registry, blocking updates, installing fake antivirus software, or exploiting various flaws in third-party solutions.
Luckily, Microsoft Defender can now detect and quarantine Defendnot as a ‘Win32/Sabsik.FL.!ml;.
Via BleepingComputer
