Tool registers a bogus anti-virus product to circumvent Windows' verification process.
A tool named ‘Defendnot’ exploits an undocumented Windows Security Center API to register a bogus anti-virus product that circumvents Windows' verification process.
Developed by cybersecurity researcher es3n1n, Defendnot bypasses WSC API's defenses, such as Protected Process Light and valid digital signatures, by facilitating DLL injection into the Taskmgr.exe process, from which the fake antivirus software will be registered.
Detailed by Bleeping Computer, Defendnot also features a loader enabling customised anti-virus names, registration deactivation, and verbose logging, as well as allowing automated execution via the Windows Task Scheduler for persistence.
"[A]fter a few weeks after the release [of no-defender], the project blew up quite a bit and gained ~1.5k stars, after that the developers of the antivirus I was using filed a DMCA takedown request and I didn't really want to do anything with that so just erased everything and called it a day," said es3n1n.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
