A newly developed tool called Defendnot can trick Windows into turning off Microsoft Defender by registering a fake antivirus through an undocumented Windows Security Center (WSC) API.
This API is typically used by legitimate antivirus software to let Windows know it's handling real-time protection, which prompts the system to disable Defender to prevent conflicts.
Created by a researcher known as es3n1n, Defendnot builds on an earlier, DMCA-taken-down project but avoids legal issues by using an original dummy antivirus DLL.
The tool injects its code into a trusted system process like Taskmgr.exe, allowing it to bypass security restrictions and register the fake AV. Once recognized by Windows, Microsoft Defender shuts down automatically, leaving the device without active protection.
Though presented as a proof-of-concept, the tool raises serious concerns about how easily core security features can be undermined using built-in Windows components.
Read more...