For security researchers and administrators, this tool provides valuable insights into how Windows manages security product integration and highlights potential areas where Microsoft’s security architecture could be strengthened to prevent similar bypasses in the future. Technically, defendnot implements interfaces such as IWSCProductList to interact with WSC and utilizes undocumented Windows APIs that Microsoft typically only shares with certified antivirus vendors through their Microsoft Virus Initiative (MVI) program under NDA. While the tool demonstrates impressive technical knowledge and reverse engineering skills, security experts caution that such utilities could potentially be misused by malware authors seeking to disable security protections. Developed by a GitHub developer known as “es3n1n”, the tool is noteworthy for its direct interaction with WSC without relying on code from existing antivirus products. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. This release comes approximately one year after the developer’s previous tool, “no-defender,” was removed following a DMCA takedown request. When Windows detects this “antivirus,” it automatically disables its built-in protection. When third-party antivirus software is installed, it registers with WSC, which then automatically disables Windows Defender to prevent conflicts. The project faced significant technical challenges, including understanding how WSC validates calling processes before allowing them to register as antivirus solutions. The tool uses COM interfaces to interact with WSC, registering a phantom antivirus product. She is covering various cyber security incidents happening in the Cyber Space.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 12 May 2025 05:55:06 +0000