A new tool called “Defendnot” has emerged, capable of deactivating Windows Defender by impersonating a legitimate antivirus program. Created by GitHub user “es3n1n”, the tool uses the Windows Security Center (WSC) API to deceive the system into recognizing it as an active third-party antivirus. Once this registration occurs, Windows Defender is automatically disabled to avoid software conflicts.

Moreover, WSC is designed to manage and verify the presence of security software on Windows machines. When genuine antivirus software is installed, it registers with WSC, prompting the system to disable Defender. Defendnot cleverly mimic this behavior without utilizing code from existing antivirus products.

How Defendnot Works: Exploiting WSC with Reverse Engineering

The developer reverse-engineered the undocumented WSC API, which usually requires a Microsoft NDA for access. They discovered that WSC validates security software using parameters like the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header and the digital signature of the calling process.

To overcome these challenges, Defendnot uses a legitimate system process, such as Task Manager (taskmgr.exe), as a host to execute its code. The tool also uses COM interfaces, such as IWSCProductList, to register a non-functional antivirus product. Once Windows sees this fake registration, it disables Defender.

A security researcher, Will Dormann also brought attention to Defendnot on social media, explaining that it leverages a method to register a fake antivirus product, effectively tricking the system into disabling Microsoft Defender.

On the other hand, technically, Defendnot interacts with the Windows Security Center (WSC) using interfaces like IWSCPoductList, which are typically accessed by legitimate antivirus software. It relies on undocumented Windows APIs—resources that are generally reserved for vendors participating in the Microsoft Virus Initiative (MVI) and are accessible only under a non-disclosure agreement.

The tool also features a set of built-in commands, including:

This allows users to execute various functions related to antivirus registration and system manipulation.

Security Implications and Limitations

Defendnot highlights the potential for misuse, especially by malware creators looking to neutralize built-in security. However, it is important to note that the tool requires admin privileges, making silent deployment more difficult. Another limitation is persistence, as Defendnot must add itself to autorun to remain active after a reboot, and its files need to stay on disk.

While originally intended as a proof-of-concept, Defendnot offers a compelling look at how security mechanisms in Windows can be bypassed. For researchers and IT professionals, it underscores the need for Microsoft to tighten security architecture around WSC integrations.