A researcher has developed a tool capable of disabling Microsoft Defender, the default antivirus on Windows computers. Dubbed Defendnot by its creator, the tool leverages the Windows Security Center (WSC) API to turn off the antivirus without alerting the computer's security mechanisms. This programming interface provided by Microsoft allows security software, such as antivirus software, to report their status to the operating system.
This gives them the right to disable Microsoft Defender. When a third-party antivirus is installed and recognized by Windows, Microsoft Defender actually disables itself. The operating system is programmed to prevent multiple antivirus software from running simultaneously. This scenario could slow down the computer's performance or create conflicts between antivirus software. For example, the antivirus could block the same files as Defender.
How Defendnot fools Windows protections
As Defendnot's creator, es3n1n, explains, the tool is able to use Microsoft's API to trick Windows into thinking that a fake antivirus is a real one. It also passes all the validation checks put in place by the publisher. Aware of the risks, Microsoft has developed a series of protections around the Security Center API. The firm has notably implemented a protection system that prevents unauthorized programs from modifying or spying on sensitive processes, and a digital signature system. These must ensure that only trusted programs, i.e. programs certified by Microsoft, can register correctly.
All these protections have been circumvented and fooled by Defendnot. To achieve its goals, it inserts its code into Taskmgr.exe, the Windows Task Manager. The trick is to use this official program to trick Windows into believing it is a real antivirus, but by using a fake name. Defendnot allows the user to choose the antivirus name they want to display in Windows, and to disable registration in the Security Center to remain undetected. Finally, the program adds itself to the Windows Task Scheduler to remain active even after a computer restart. This is a design flaw within Windows. This is purely a research project. However, the creation of the tool demonstrates how Windows can be manipulated to bypass Microsoft Defender's security. It is expected that this design flaw will eventually be exploited by cybercriminals. The fault lies in the way Windows works. Microsoft shouldn't be able to fix this with a simple patch.
Note that Microsoft Defender is now able to detect and quarantine Defendnot before it starts masquerading as an antivirus.
Source: es3n1n
0 Comments