CyberSecurity news
FlagThis
@www.csoonline.com
//
A new cybersecurity threat has emerged, putting Windows users at risk. A tool called 'Defendnot' can disable Microsoft Defender, the built-in antivirus software in Windows 10 and 11. This is achieved by registering a fake antivirus product through an exploited vulnerability in the Windows Security Center (WSC) API. This exploit tricks Windows into thinking another antivirus solution is managing real-time protection, causing it to automatically disable Microsoft Defender to avoid conflicts. Even if no real antivirus software is installed, Defendnot can still successfully deactivate the system's primary defense, leaving the computer vulnerable to malicious attacks.
The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures.
This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'.
ImgSrc: www.csoonline.c
References :
The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures.
This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'.
ImgSrc: www.csoonline.c
Share:
References :
- The DefendOps Diaries: Explore how the Defendnot tool exploits Windows vulnerabilities to disable Microsoft Defender, highlighting cybersecurity challenges.
- BleepingComputer: New 'Defendnot' tool tricks Windows into disabling Microsoft Defender
- www.csoonline.com: Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution–a behavior that threat actors can abuse to run malicious code without detection.
- www.scworld.com: Microsoft Defender deactivated by new tool
- borncity.com: Windows 10/11: Defender can be deactivated with a simple tool (Defendnot)
- www.techradar.com: Hackers can turn off Windows Defender with this sneaky new tool
Classification:
- HashTags: #MicrosoftDefender #Defendnot #WindowsSecurity
- Company: Microsoft
- Target: Windows users
- Product: Windows Defender
- Feature: API spoofing
- Malware: Defendnot
- Type: Hack
- Severity: Medium