Pretend to Be an Antivirus — and the System Will Give Up: How to Fool Windows in Two Clicks
Microsoft Defender Turns Itself Off — Just Pretend to Be an Antivirus and Gain Its Trust.
Microsoft Defender Turns Itself Off — Just Pretend to Be an Antivirus and Gain Its Trust.
A new tool called Defendnot, freely available on GitHub, is capable of completely disabling Microsoft Defender on Windows devices by masquerading as antivirus software. The main trick is the use of a non-standard mechanism in the Windows Security Center (WSC), which is designed for registering antivirus programs. When the system believes that an antivirus is already installed, the built-in Defender automatically disables itself to avoid conflicts. However, in reality, no other antivirus is actually installed — it's just a trick to turn off the built-in protection.
This feature was exploited by the creator of Defendnot, known under the pseudonym es3n1n. He created a library that formally meets the WSC requirements and passes Windows checks. As a result, the fake antivirus is registered as legitimate, and Microsoft Defender disables real-time protection without hesitation.
The precursor to Defendnot was a project called no-defender, which used actual antivirus code for registration through WSC. However, after the antivirus vendor filed a DMCA complaint, the project was removed from GitHub. The new tool avoided similar issues: it was built completely from scratch and uses a fake DLL that does not violate copyrights.
To bypass Windows' own protective measures, such as Protected Process Light (PPL) and digital signature verification, Defendnot injects its library into the trusted system process Taskmgr.exe. This allows it to bypass restrictions and easily register the fake antivirus with any display name.
Once registered, Microsoft Defender is immediately disabled. No active protection remains on the device, leaving it vulnerable to any kind of attack. For convenience and stability, Defendnot uses the Windows Task Scheduler — the fake antivirus will automatically start with every system boot.
The tool package includes a loader that allows passing settings through the file ctx.bin. You can specify the display name of the antivirus, disable registration, and enable detailed logging.
Despite the author positioning the project as a research tool, it starkly demonstrates how vulnerable even trusted components of the security system are when given a certain level of access and manipulation.
Currently, Microsoft Defender has started detecting and quarantining Defendnot as a threat named "Win32/Sabsik.FL.!ml", indicating an attempt to close the channel that disables its protection, although the underlying vulnerability — the trust mechanism for registered software — remains unchanged.
