Just One DLL – and Windows Is Defenseless. A Standard Microsoft Function Has Become an "Off Switch" for EDR
A method to disable Windows Defender via the system API Bindlink has been discovered.
A method to disable Windows Defender via the system API Bindlink has been discovered.
Sometimes, to "turn off" protection in Windows, you don't need to directly break the antivirus. It's enough to prevent it from starting normally. A researcher using the alias Two Seven One Three (TwoSevenOneT) has published a tool called EDRStartupHinder on GitHub, which aims to do exactly that: it hinders antivirus and EDR solutions from launching during system boot by exploiting a legitimate path redirection mechanism in Windows.
The core idea revolves around Bindlink: an API that allows "binding" a local virtual path to another location, essentially transparently redirecting file access. Microsoft describes Bind Links as a way to redirect filesystem namespace via the bindflt.sys driver, originally intended for compatibility and scenarios where files need to "appear" local even if they are physically stored elsewhere.
The authors of EDRStartupHinder use this mechanism for an attack scenario: during Windows startup, the tool creates a redirection for one of the critical DLLs from System32 so that the target security process receives an "unsuitable" version of the library and terminates. The project description explicitly states that the tool prevents Antivirus and EDR from launching by redirecting a key DLL from System32 to another location at the boot stage.
Why does this work against modern security products? An article by Zero Salarium, referenced in the repository, explains the logic: many security processes start as PPL (Protected Process Light) and have stricter rules about what they are allowed to load. If a critical dependency is replaced early on in such a way that it fails validation, the security process can "self-terminate" before it can even activate its own self-defense mechanisms. The author claims to have tested the approach on Windows Defender in Windows 11 25H2 and separately notes testing the technique on several commercial solutions without disclosing their names.
The "Version 1.0" release appeared on January 11, 2026. This is yet another example of how features designed for convenience and compatibility become tools for bypassing protection, especially during the early boot phase where an attacker gains a chance to act "first."
From a practical standpoint for defenders, the important takeaway is not the specific binary, but the technique class itself. The same Zero Salarium publication suggests basic defenses: closely monitor the use of Bindlink (specifically activity around bindlink.dll) and the appearance of suspicious services that might launch very early, even before EDR components. If strange "compatibility" services suddenly appear in the infrastructure and the machine's standard protection disappears after a reboot simultaneously, that is precisely the type of chain to investigate first.
