Defendnot, a sophisticated new tool that effectively disables Windows Defender by exploiting the Windows Security Center (WSC) API to register itself as a legitimate antivirus solution. 

The Windows Security Center service is designed to ensure Windows computers maintain adequate security protection. 

When third-party antivirus software is installed, it registers with WSC, which then automatically disables Windows Defender to prevent conflicts.

Developed by a GitHub developer known as “es3n1n”, the tool is noteworthy for its direct interaction with WSC without relying on code from existing antivirus products.

This release comes approximately one year after the developer’s previous tool, “no-defender,” was removed following a DMCA takedown request.

“There’s a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there’s some other antivirus in the hood and it should disable Windows Defender,” the developer shared in a report with Cyber Security News. 

“This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation.”

Defendnot Disable Windows Defender

According to the developer’s detailed blog post, creating defendnot involved extensive reverse engineering of the WSC service and identifying the process validation mechanisms Microsoft employs. 

The project faced significant technical challenges, including understanding how WSC validates calling processes before allowing them to register as antivirus solutions.

A critical discovery was that WSC performs checks on processes attempting to register, including verifying the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header and examining digital signatures. 

The Task Manager (Taskmgr.exe) met these requirements and could be used as a “victim process” to host the defendnot code.

The tool uses COM interfaces to interact with WSC, registering a phantom antivirus product. When Windows detects this “antivirus,” it automatically disables its built-in protection. 

Security researcher Will Dormann highlighted the tool on social media, noting that it “uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.”

Technically, defendnot implements interfaces such as IWSCProductList to interact with WSC and utilizes undocumented Windows APIs that Microsoft typically only shares with certified antivirus vendors through their Microsoft Virus Initiative (MVI) program under NDA.

The tool includes several commands:

One limitation noted by the developer is that “to keep this WSC stuff even after reboot, defendnot adds itself to the autorun. Thus, you would need to keep the defendnot binaries on your disk.”

While the tool demonstrates impressive technical knowledge and reverse engineering skills, security experts caution that such utilities could potentially be misused by malware authors seeking to disable security protections. 

However, it’s worth noting that defendnot requires administrative privileges to function, limiting its potential for covert deployment.

For security researchers and administrators, this tool provides valuable insights into how Windows manages security product integration and highlights potential areas where Microsoft’s security architecture could be strengthened to prevent similar bypasses in the future.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download