HQ/EMEAFind out how we can help your business
A recently developed tool named Defendnot can allegedly disable Microsoft Defender on Windows devices.
According to reports, this technique can be executed by registering a fake antivirus product even when no legitimate antivirus software is installed. Moreover, the method exploits an undocumented Windows Security Centre (WSC) API that antivirus programs use to notify Windows that they are installed and manage real-time protection.
Researchers noted that when an antivirus program registers itself with WSC, Windows automatically disables Microsoft Defender to prevent conflicts arising from multiple security applications running simultaneously.
Defendnot uses dummy antivirus as its primary weapon.
Created by a security researcher known as es3n1n, the Defendnot tool takes advantage of this behaviour by registering a dummy antivirus product that satisfies all Windows’ validation requirements.
The tool evolved from an earlier project called no-defender, which relied on code from a third-party antivirus to spoof registration with the WSC.
That previous tool was removed from GitHub following a DMCA takedown notice filed by the antivirus vendor. According to the developer, this prompted the decision to rebuild the tool’s functionality entirely from scratch, resulting in Defendnot, which uses a dummy antivirus DLL to avoid copyright issues.
The WSC API is typically protected by several security measures, including Protected Process Light (PPL) and strict digital signature verification. Defendnot then injects its DLL into a trusted, Microsoft-signed system process called Taskmgr.exe to circumvent these safeguards. It can successfully register the fake antivirus product within this process under a spoofed name.
Once registration is complete, Microsoft Defender disables itself, leaving the device without active antivirus protection.
Furthermore, Defendnot includes a loader component that accepts configuration data through a file named ctx.bin, which allows users to customise the antivirus name, toggle registration, and enable detailed logging.
For persistence, the tool creates a scheduled task via the Windows Task Scheduler to ensure it runs automatically upon user login.
Although Defendnot is primarily intended as a research project, it highlights how trusted Windows system features can be manipulated to disable security software. As of now, Microsoft Defender detects and quarantines Defendnot under the threat name Win32/Sabsik.FL.!ml.
