DefendNot: New Tool Tricks Windows into Disabling Microsoft Defender

A concerning new cybersecurity threat has emerged with the release of a tool called “DefendNot,” which can effectively disable Microsoft Defender on Windows systems by exploiting an undocumented API. This sophisticated tool poses as a legitimate antivirus solution to trick Windows into turning off its built-in protection, potentially leaving systems vulnerable to a wide range of malware threats.

What is DefendNot?

DefendNot is a recently developed tool created by security researcher “es3n1n” that exploits the Windows Security Center (WSC) service. This tool registers itself as a third-party antivirus solution without actually providing any protection. When Windows detects what it believes to be a legitimate antivirus program, it automatically disables Microsoft Defender to prevent conflicts between security applications.

The tool is a successor to a previous project called “no-defender” which was taken down following a DMCA request because it used code from existing antivirus products. DefendNot avoids copyright issues by implementing functionality from scratch through a custom-built dummy antivirus DLL.

 Severity of the Issue

The severity of this exploit is significant. Once DefendNot is installed and running:

• Microsoft Defender is completely disabled on the affected system
• The system has no active real-time protection against malware
• The disabled state persists across system reboots
• Users may be unaware their protection has been compromised

This tool essentially creates a security vacuum on Windows devices, removing the baseline protection that Microsoft provides to all Windows users.

 How DefendNot Works

DefendNot operates by targeting an undocumented Windows Security Center API that Microsoft typically only makes available to legitimate antivirus vendors under strict non-disclosure agreements (NDAs).

The tool’s operation involves several sophisticated techniques:

1. It injects its code into the trusted Windows Task Manager process (Taskmgr.exe)
2. From within this trusted process, it makes calls to the WSC API
3. It registers a phantom antivirus product with a customizable name
4. Windows automatically disables Microsoft Defender upon detecting this registration
5. For persistence, DefendNot adds itself to Windows autorun via Task Scheduler

The technical implementation required reverse engineering WSC’s validation processes, including signature verification and security check bypasses.

 Who is Behind DefendNot?

The tool was developed by a GitHub user known as “es3n1n” and is published as an open-source project. The developer presents it as a research project but acknowledges its potential security implications. According to the developer’s blog post, DefendNot was created during a vacation in Seoul under challenging development conditions, using remote access to development environments with high latency.

While the creator may have developed this tool for research purposes, the public availability of such software makes it accessible to threat actors with malicious intent.

 Who is at Risk?

The primary risk factors for this vulnerability include:

• Windows 10 and Windows 11 users who rely on Microsoft Defender as their primary antivirus solution
• Organizations with standard Windows deployments that haven’t implemented additional security controls
• Systems where an attacker has already gained administrative privileges (required to install DefendNot)

The risk is somewhat mitigated by the requirement for administrative privileges, which prevents remote exploitation without prior system compromise. However, once an attacker has admin access, they can use this tool to disable security protections, making subsequent attacks easier to execute and harder to detect.

 Remediation Steps

To protect against this threat, consider implementing these remediation measures:

1. Keep all Windows systems updated with the latest security patches
2. Deploy enterprise-grade endpoint protection beyond Microsoft Defender
3. Implement application whitelisting to prevent unauthorized tools from executing
4. Use advanced threat protection solutions that can detect suspicious activity
5. Monitor systems for unexpected changes to security settings
6. Limit administrative privileges to only those users who absolutely need them
7. Implement robust user awareness training about social engineering attacks

Microsoft is currently detecting and quarantining known versions of DefendNot as malware (identified as ‘Win32/Sabsik.FL.!ml’), but variant tools may evade detection.

 How CinchOps Can Help

At CinchOps, we understand the evolving nature of cybersecurity threats like DefendNot. Our comprehensive security approach provides multiple layers of protection to ensure your business remains secure:

• Advanced Endpoint Protection: We deploy and manage robust endpoint security solutions that go beyond basic antivirus capabilities, providing protection even if native Windows security is compromised.
• Continuous Monitoring: We actively monitors for suspicious activities that might indicate security bypasses or disabled protections.
• Rapid Response: When threats are detected, our team can quickly isolate affected systems and implement remediation measures before damage spreads.
• Security Hardening: We implement industry-best security controls, including least privilege access, application control, and system hardening to minimize attack surfaces.
• User Awareness Training: We provide comprehensive security training to help your team recognize and avoid social engineering attempts that might lead to system compromise.

Don’t leave your business vulnerable to emerging threats like DefendNot. Contact CinchOps today for a comprehensive security assessment and learn how our managed IT security services can protect your critical systems and data.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: CLFS Zero-Day Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
For Additional Information on this topic: Now Microsoft Windows Defender Can Be Disabled By Hackers

FREE CYBERSECURITY ASSESSMENT