Anonymity Defendnot: Microsoft Defender Bypass.

[Fixxx]

Many modern companies support a BYOD (Bring Your Own Device) policy, allowing employees to use their own devices for work purposes. This practice is especially common in organizations that embrace remote work. While BYOD has many obvious advantages, implementing such a policy creates new cybersecurity risks . Today we will discuss one of these methods: a new research project called Defendnot, which allows users to disable Microsoft Defender on Windows devices by registering a fake antivirus.

Microsoft Defender Can Be Disabled Using a Fake Antivirus​

As an experiment with no-defender showed, Microsoft Defender can be disabled using a fake antivirus. To understand how Defendnot works, we need to go back a year. At that time, a researcher with the Twitter handle es3n1n, who is the author of this tool, published the first version of the project on GitHub. It was called no-defender and its task was also to disable the built-in Windows Defender antivirus. To accomplish this task, es3n1n exploited a special Windows API called WSC API (Windows Security Center). Through this API, antivirus software informs the system that it's installed and takes over real-time protection of the device.

Upon receiving such a message, Windows automatically disables Microsoft Defender to avoid conflicts when multiple security solutions operate simultaneously on one device.​

Based on the code of an existing security solution, the researcher was able to create his fake antivirus, which registered itself in the system and passed all Windows checks. After that, Microsoft Defender was disabled, leaving the device unprotected, as no-defender had no actual protective functions. The no-defender project quickly gained popularity on GitHub and received 2,000 stars from grateful users. However, the antivirus company whose code the researcher used filed a complaint against it under the Digital Millennium Copyright Act (DMCA). As a result, es3n1n removed the project code from GitHub, leaving only a description page.

Updated Version of the Tool to Disable Microsoft Defender​

The story didn't end there. Almost a year later, a New Zealand programmer under the pseudonym MrBruh encouraged es3n1n to develop a solution to the same problem that no-defender addressed, but without using someone else's code. Ultimately, due to curiosity and sleep issues, es3n1n wrote new code for the tool in four days, which was named Defendnot. The basis for Defendnot was a DLL stub that pretends to be a legitimate antivirus. To bypass all Windows Security Center API checks, including Protected Process Light (PPL), digital signatures and other mechanisms, Defendnot injects its DLL into Taskmgr.exe, which is signed and already considered trusted by Microsoft.

Then, the tool registers the fake antivirus - after which Microsoft Defender is immediately disabled, leaving the device without active protection.​

In addition, Defendnot allows the user to assign any name to the fake antivirus. The author also published this project on GitHub. Like the previous version of the antivirus disabling tool, Defendnot is popular on the platform and, at the time of writing this post, has already received 2,100 stars. To install Defendnot, the user must have administrator rights.

Conclusion​

Defendnot is positioned as research project. Both tools demonstrate how trusted system mechanisms can be manipulated to disable protective features.
This leads to a rather obvious conclusion: you can't always rely on windows readings. Therefore, it's recommended to take measures to ensure security:

1. Conduct frequent security audits and vulnerability assessments to identify and mitigate potential risks associated with unauthorized software.
2. Use comprehensive endpoint protection software that includes threat detection and response capabilities to identify unauthorized software.
3. Implement monitoring tools to track system changes and detect unusual behavior that may indicate the presence of unauthorized software.
4. Implement MFA for accessing sensitive systems and data to add an extra layer of security against unauthorized access.
5. Limit administrative rights on devices to prevent unauthorized installations and modifications to system settings.