Defendnot is a sophisticated new utility that tricks Windows into disabling Microsoft Defender by posing as a genuine antivirus. To make its status known, it takes advantage of an undocumented Windows Security Centre (WSC) API that authorised antivirus software often uses to register and manage real-time protection.
Once any antivirus is registered with WSC, Windows automatically suspends Defender to prevent software clashes. Defendnot used this obscure WSC vulnerability to register itself as a third-party antivirus solution, even on PCs without any other security programs installed.
The Defendnot project, created by researcher es3n1n, is an updated version of the previous no-defender project (which was taken down from GitHub following a DMCA takedown). However, it uses only one API technique and contains no duplicated code from the original.
Defendnot is essentially abusing a Microsoft service that is meant to protect Windows devices. It exposes an important vulnerability in Microsoft’s trust architecture for third-party antivirus integration by forcing Defender offline without installing any legitimate protection software by registering a fake antivirus in the Windows protection Centre.
In a blog post, the developer clarifies:
Then, after a few weeks after the release, the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn’t really want to do anything with that so just erased everything and called it a day.
The Deception Behind Defendnot’s Windows Defender Bypass
Defendnot started with extensive reverse engineering of the Windows Security Center (WSC). After mapping out WSC’s process-validation stages, the developer found that it verifies each PE header’s IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag and digital signature.
Only signed Protected Process Light (PPL) binaries are often able to register as antivirus programs using the WSC API. Defendnot gets around these security measures by inserting a fake antivirus DLL into Taskmgr.exe, a Microsoft-signed program that WSC already trusts. The DLL links the WSC API while impersonating its display name from inside Task Manager.
This malicious antivirus program instantly disables Microsoft Defender after it has been registered, disabling the system of active protection. Identifying Taskmgr.exe as an authorised host requires trial-and-error testing across several system binaries and detailed reverse engineering of WSC’s signature-verification techniques.
The proof-of-concept utility Defendnot shows how to bypass Windows’ built-in security measures. In addition to renaming the antivirus service, turning off registration, and turning on verbose logging, it bundles its settings in a ctx.bin file. The application creates an autorun component in the Windows Task Scheduler to start at login to ensure persistence.
Defendnot is still a research project, however Microsoft Defender already detects its binaries as Win32/Sabsik.FL.!ml and quarantines that automatically. The developer notes that removing the tool’s files leaves the autorun entry intact, but the loader becomes inoperable after a reboot.
Although designed for research, Defendnot highlights how trusted OS features can be misused. Security teams and OS developers can leverage its insights to fortify Windows’ security architecture against similar vulnerabilities. Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Our comprehensive solutions provide you with all the tools and strategies needed to identify and address vulnerabilities before they can be exploited. Book a demo today to see how it can work for you.
