A new security tool known as ‘Defendnot‘ has emerged, capable of disabling Microsoft Defender protections on Windows systems by registering a faux antivirus product. This innovative trick utilizes an undocumented Windows Security Center (WSC) API, enabling the tool to manipulate system settings and disable the native antivirus feature even in the absence of legitimate antivirus software.
The tool, developed by cybersecurity researcher es3n1n, circumvents Microsoft’s standard security protocols by creating a dummy antivirus DLL designed to pass the necessary validation checks. By exploiting the WSC API — generally reserved for actual antivirus products — Defendnot effectively fools the Windows system into shutting down Microsoft Defender to prevent conflicts between multiple security applications.
Defendnot draws from the foundations of a previous project, no-defender, which was taken down after a DMCA request from a third-party antivirus vendor. In a recent blog post, the developer noted the troubles faced after the initial release of no-defender, which gained popularity quickly but ultimately led to legal repercussions.
To avoid repeating past mistakes and potential copyright issues, Defendnot has been built entirely from the ground up. It operates by injecting a DLL into Taskmgr.exe, a trusted Microsoft process, thereby enabling the registration of the fake antivirus product. The tool’s design allows it to persist through Windows Task Scheduler, ensuring it activates with each system login, raising significant concerns about its implications on cybersecurity.
Despite its capabilities, Microsoft Defender is reportedly identifying and quarantining Defendnot under the label ‘Win32/Sabsik.FL.!ml’, reflecting ongoing efforts to mitigate the tool’s impact. The development of such tools raises important questions about the security of trusted system features, as demonstrated by Defendnot’s troubling ability to turn off vital protective mechanisms.