Recommended reading

Defendnot tool pitched as 'an even funnier way’ to disable Windows Defender

News
By published

Works by tapping into an undocumented WSC API call to tell Windows there’s some other antivirus software turned on.

False positive
(Image credit: Shutterstock)

There’s a new tool available for folk who want to disable Windows Defender without replacing it with a rival antivirus (AV) product. Developer and reverse engineer es3n1n released the new Defendnot tool recently. The software taps into an undocumented Windows Security Center (WSC) API to tell the OS there’s some other antivirus software turned on, thus gracefully giving Windows Defender the elbow.

In a blog post discussing Defendnot development, es3n1n introduces the new tool by highlighting how it is a replacement for their no-defender tool from a year ago. Defendnot’s ancestor disabled Windows Defender by reusing third party code from an existing AV product. Not surprisingly, it was hit by a DCMA takedown request… Defendnot started as an attempt to create a “clean implementation” of the prior project, without any ‘donor’ AV. This wasn’t easy, as WSC isn’t (publicly) documented.

Leaning on prior experience, es3n1n correctly guessed how WSC validated calls made by genuine AV products. So, they injected code into this process, with immediately promising results. The blog shows a “fresh-new antivirus I registered,” and you can see it is arbitrarily named ‘hi2.’ In the screenshot below, from GitHub, you can also see it dubbed 'hello readme:).'

(Image credit: es3n1n)

Many shenanigans later (about three days) es3n1n finessed their Defendnot tool by injecting the fake AV DLL into the already signed and trusted Windows Task Manager process (Taskmgr.exe). From there it can register the fake AV tool with any name. If you check Bleeping Computer, their reporter made a fake AV dubbed the BleepingComputer Antivirus, using Defendnot, for even more fun.

With Defendnot injected and registered, Microsoft Defender will immediately shut itself down. As your Defendnot app isn’t actually an AV program, that will leave you exposed to viruses and similar malware, as you won't have a real-time scanner enabled. To keep your new ‘AV’ and WSC implications live between reboots, Defendnot is added to Windows autorun.

Microsoft classifies Defendnot as a Trojan

It is kind of scary how a legitimate AV program can be spoofed like this, but as a ‘research project’ it forewarns OS makers like Microsoft of potential vulnerabilities which may be exploited by bad actors. If you were to download the Defendnot tool today, Microsoft’s Defender has already started to detect and quarantine it as a Trojan based on its machine learning algorithms.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

TOPICS
Mark Tyson
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

13 Comments Comment from the forums
  • Jabberwocky79
    Just curious as to why someone would deliberate disable all AV protection including Defender? What purpose does this program serve?
    Reply
  • USAFRet
    Jabberwocky79 said:
    Just curious as to why someone would deliberate disable all AV protection including Defender? What purpose does this program serve?
    "The AV is sucking up too many resources, and I neeed muh extra 2 FPS!!!"
    Yes, someone will say that.
    Reply
  • Math Geek
    some people for any number of reasons chose to not run an AV. be it a test machine or their daily driver.

    true 99.999999999% will run one and probably should. it's the best/easiest way to protect your machine from the user's own mistakes. i'll never deny that fact. :)

    but MS has decided that EVERYONE absolutely will run an AV whether they want to or not. so this and many other ways exist to disable this requirement for those who do not wish to partake. clearly enough people wish to not use one since so many ways exist to disable the requirement.

    again i 100% agree that the average user should use one, but also 100% disagree that "average user" means every single person ever to sit in front of a computer. if you wish to take the risk on your personal system and not run an AV program, then MS should not stand in your way. it's what many many people hate about what windows has become. it is no longer an OS someone can adjust to be what they need. it is now a one size fits all method to provide MS with as much data to sell as possible

    again you don't have to agree and may love everything about windows, but again enough people exist that don't like it, that there are many ways to disable/remove/tweak windows to try and take some sort of control back and make it what i need vs what MS tells me i will have.

    you don't have to agree, or approve, but that does not mean you are the final answer and all must abide by your wishes.
    Reply
  • USAFRet
    Math Geek said:
    some people for any number of reasons chose to not run an AV. be it a test machine or their daily driver.

    true 99.999999999% will run one and probably should. it's the best/easiest way to protect your machine from the user's own mistakes. i'll never deny that fact. :)

    but MS has decided that EVERYONE absolutely will run an AV whether they want to or not. so this and many other ways exist to disable this requirement for those who do not wish to partake. clearly enough people wish to not use one since so many ways exist to disable the requirement.

    again i 100% agree that the average user should use one, but also 100% disagree that "average user" means every single person ever to sit in front of a computer. if you wish to take the risk on your personal system and not run an AV program, then MS should not stand in your way. it's what many many people hate about what windows has become. it is no longer an OS someone can adjust to be what they need. it is now a one size fits all method to provide MS with as much data to sell as possible

    again you don't have to agree and may love everything about windows, but again enough people exist that don't like it, that there are many ways to disable/remove/tweak windows to try and take some sort of control back and make it what i need vs what MS tells me i will have.

    you don't have to agree, or approve, but that does not mean you are the final answer and all must abide by your wishes.
    The problem is....
    If it is "optional", then people who should be running it do not, on advice from people who think they know (but don't).

    And those subsequently infected systems impact the rest of us.
    See WannaCry.
    Reply
  • jlake3
    Jabberwocky79 said:
    Just curious as to why someone would deliberate disable all AV protection including Defender? What purpose does this program serve?
    There's arguably a research angle, as the backdoor killswitch they used is not publicly documented. Knowing how it works may help develop defenses. Also, if you're experimenting with something on a sacrificial machine in a controlled environment, you might wanna turn everything off and just study what happens.

    I'm not sure what happens if you try to use a home version of Windows in some type of automation project where it has no internet connection, but if it gets angry about not being able to update the AV, this may shut it up?

    If for some reason you are running an AV that isn't signaling to Windows that it's present properly and they're both trying to run, this could allow you to shut down Defender so they don't clash. Or even more theoretically, someone could build an AV without having to sign Microsoft's NDA and without having infringing code stolen from a commercial AV?

    Or maybe you've built a machine just for hardcore overclocking leaderboards, and you want to kill off any possible process that could take away from your CPU benchmark score.

    Very, very, VERY niche and most people should absolutely not disable all AV protection, but it is neat that it exists.
    Reply
  • Konomi
    Jabberwocky79 said:
    Just curious as to why someone would deliberate disable all AV protection including Defender? What purpose does this program serve?
    Probably has more use than TH's "recommended reading" popup.
    Reply
  • Alvar "Miles" Udell
    There’s a new tool available for folk who want to disable Windows Defender without replacing it with a rival antivirus (AV) product.

    Those people fall into one of two camps: Bad actors who want to create a more convincing fake AV to trick people who don't need to use a computer, and people who don't need to use a computer.
    Reply
  • rluker5
    A lot of people are probably too young to remember the days before Windows Vista when restoring your infected PC from disc was a normal occurrence and if you wanted to spend the big bucks you went with Norton or McAfee and had to watch your system routinely slow to a crawl for quite some time due to their schedule.

    Defender is a small price to pay.
    Reply
  • Alvar "Miles" Udell
    rluker5 said:
    A lot of people are probably too young to remember the days before Windows Vista when restoring your infected PC from disc was a normal occurrence and if you wanted to spend the big bucks you went with Norton or McAfee and had to watch your system routinely slow to a crawl for quite some time due to their schedule.

    Defender is a small price to pay.

    Some people are old enough to remember when Windows Restore would backup and restore viruses and AV programs couldn't touch them.
    Reply
  • BFG-9000
    To be fair, Defender is still ridiculously slow if you plug in a slow flash drive or connect to a slow NAS with thousands of files on it--Explorer flashes the contents then blanks the window (I can understand not letting you click on anything but why hide the filenames?) until they show up, one by one slowly. And that's regardless of how fast your system is.

    Antivirus isn't needed on any computer that will only be used offline, and just as with 9x and XP, I am starting to remove MSE/Defender from all of my Windows 7 installations because the definition updates haven't worked since February anyway. Feature updates aren't necessary offline either + I think I liked 1511 best and will probably go to that after Windows 10 EOL as well.

    The original System Restore from Windows ME is famous for not working at all, no viruses needed to break it.
    Reply