- A security researcher has built a program that the operating system considers an antivirus
- Since two AV programs cannot work at the same time, Windows Defender is deactivated
- Previous iteration has been removed for copyright violation
Pirates can now deactivate your Windows Defender program by recording a false antivirus on your computer. To do this, they use a new tool called Defendnot, recently published by a safety researcher at the alias ES3N1N.
As they explained, Defendnot uses a Windows Security Center (WSC) API previously undocumented, which third -party antivirus programs use to say to the operating system if they operate on the device or not.
Usually, two or more antivirus programs cannot work on a single device at the same time due to various conflicts. As a result, Windows Defender automatically deactivates, when he learns that another antivirus has been installed.
Spotted by the defender
According to Bleeping CompomputeThis is the researcher’s second attempt to build this type of solution. The original program, which has “exploded” and has become viral shortly after its release, was deleted after a digital request from the Millennium Copyright Act. It turns out that ES3N1N used the code of a third -party antivirus product to train it with WSC for a program they have appointed without defender.
This apparently did not suit the developers of this third -party solution, which later demanded that ES3N1N withdraw the program.
After the withdrawal, the researcher built Defendnot with a dummy antivirus DLL from zero. It also comes with a highlythe, allowing it to start automatically as soon as the user connects to Windows.
Obviously, the tool has not been designed to be used in a malicious way, but it is prudent to assume that it will be mistreated (or threat actors could simply create their own versions). In the past, threat actors have been seen to deploy various tactics to deactivate people’s antivirus programs, such as abuse of administrative rights, falsification of the register, block updates, install false antivirus software or exploit various defects in third -party solutions.
Fortunately, Microsoft Defender can now detect and quarantined Defendnot as’ Win32 / Sabsik.fl.! ML;.
Via Bleeping Compompute
