Hackers Can Disable Microsoft Defender on Windows 10/11 by Registering Fake Antivirus Software
Hackers Can Disable Microsoft Defender on Windows 10/11 by Registering Fake Antivirus Software
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Hackers Can Disable Microsoft Defender on Windows 10/11 by Registering Fake Antivirus Software
Hackers have found a way to disable Microsoft Defender on Windows 10 and 11 by registering fake antivirus programs, giving them free rein to operate on compromised systems.
A security researcher operating under the alias es3n1n has developed a tool called Defendnot, which exploits this vulnerability to turn off Microsoft Defender.
Unsurprisingly, the tool has already been flagged by Microsoft as a trojan and is now quarantined.
By default, Microsoft Defender is enabled on Windows 10/11. However, it automatically disables itself if it detects another antivirus solution—such as Kaspersky—installed on the system, in order to prevent software conflicts.
This behavior has previously prompted some developers to register fake antivirus software as a workaround to disable Defender. The motivation is often due to Defender’s high false-positive rate or its interference with activation scripts and other “crack” tools, leading many users to seek ways to disable it.
Hackers, of course, share the same goal—disabling Microsoft Defender gives them a much easier path to carry out malicious activities without being detected. Once Defender is out of the picture, attackers can act freely without worrying about security software blocking their actions.
One recent example involves a fake security application registered under the name “hello readme:)”. Researcher es3n1n released a tool named Defendnot that leverages a previously undocumented method using the Windows Security Center (WSC) API. This API allows antivirus software to notify Windows that a security product is already running, which in turn causes Defender to shut down automatically.
The release of Defendnot quickly went viral, but it was soon taken down following a DMCA complaint. That’s because simply invoking the WSC API isn’t straightforward—it typically requires using code from legitimate security software. In Defendnot’s initial version, it borrowed code from a real antivirus product and disguised a program named no-defender as a valid WSC-registered app. Once the original antivirus vendor discovered their code had been repurposed, they swiftly issued a takedown request.
In response, es3n1n rebuilt Defendnot from scratch using a custom “virtual antivirus” DLL. The updated version not only disables Microsoft Defender but also includes features like auto-start at boot, allowing it to run as soon as Windows launches.
Although Defendnot was developed primarily for research purposes—not for everyday users or malicious intent—it undeniably poses a security risk. Hackers could exploit the tool to compromise systems, raising concerns about potential misuse.
Microsoft’s threat intelligence team has already taken action. Defender now detects and quarantines Defendnot, classifying it as a Win32/Sabsik.FL.A!ml trojan—a designation for threats capable of performing a wide range of malicious actions on a device.
