Defendnot Trojan Disables Windows’ Built-In Antivirus

by Justin Erickson

Security researcher “es3n1n” has released Defendnot, a proof-of-concept tool that registers a fake antivirus product through an undocumented Windows Security Center (WSC) API. Windows then assumes a different antivirus is active and automatically shuts down Microsoft Defender, leaving the system unprotected. Normally WSC is protected, and administrative privileges are needed, but to bypass this, Defendnot injects its DLL into Taskmgr.exe (a system process already trusted by Microsoft) where it can register the ‘antivirus’- thereby causing Microsoft to disable its built-in defender. Although this is a research project, it shows that attackers could potentially do the same in the future. Microsoft Defender’s machine learning algorithm has responded by flagging and quarantining Defendnot as a Trojan.