{"id":24335,"date":"2025-07-15T17:17:39","date_gmt":"2025-07-15T13:17:39","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/defendnot-disables-microsoft-defender-on-windows\/24335\/"},"modified":"2025-07-15T17:17:39","modified_gmt":"2025-07-15T13:17:39","slug":"defendnot-disables-microsoft-defender-on-windows","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/defendnot-disables-microsoft-defender-on-windows\/24335\/","title":{"rendered":"Schr\u00f6dinger’s antivirus: is protection dead or alive?"},"content":{"rendered":"

Many companies today operate a Bring Your Own Device (BYOD)<\/a> policy, allowing employees to use their own devices for work purposes. This practice is especially prevalent in organizations that embrace remote working. BYOD brings many obvious advantages, but its implementation creates new risks for companies in terms of cybersecurity.<\/p>\n

To protect systems from threats, information security departments often require that security software is installed on all devices used for work. At the same time, some employees \u2013 especially hotshot techies \u2013 may view antivirus software more as a hindrance than a help.<\/p>\n

Not the most sensible attitude for sure, but convincing them otherwise can be hard. The main problem is that employees who believe they know better may find a way to dupe the system. Today, we investigate one such method: a new research tool known as Defendnot<\/a>, which disables Microsoft Defender on Windows devices by registering fake antivirus software.<\/p>\n

How no-defender<\/em> blazed the trail using fake antivirus to disable Microsoft Defender<\/h2>\n

To understand exactly how Defendnot disables Microsoft Defender, we need to turn the clock back a year. Back then, a researcher with the X handle es3n1n<\/a> created and published the first version of the tool on GitHub. Called no-defender<\/a>, it was tasked with disabling the built-in Windows Defender antivirus.<\/p>\n

To accomplish this task, es3n1n exploited a weakness in the Windows Security Center (WSC) API. Through it, antivirus software informs the system that it is installed and ready to start protecting the device in real time. Upon receiving such a message, Windows automatically disables Microsoft Defender to avoid conflicts between different security solutions all running on the same device.<\/p>\n

Using the code of an existing security solution, the researcher created their own fake antivirus that registered in the system and passed all Windows checks. Once Microsoft Defender was disabled, the device was left unprotected \u2013 since no-defender offered no protection of its own.<\/p>\n

The no-defender project quickly drew a following on GitHub, where it was starred over two thousand times. However, the antivirus developer company whose code was reused filed a complaint for violation of the Digital Millennium Copyright Act (DMCA)<\/a>. So es3n1n was forced to remove the project code from GitHub, leaving only a description page.<\/p>\n

How Defendnot succeeded no-defender<\/h2>\n

But the story doesn\u2019t end there. Almost a year later, New Zealand programmer MrBruh<\/a> prompted es3n1n into developing a version of no-defender that didn\u2019t rely on third-party code. Piqued by the challenge and poor sleep, es3n1n wrote a new tool in four days flat<\/a>, which was dubbed Defendnot.<\/p>\n

At the heart of Defendnot was a stub DLL posing as a legitimate antivirus. To bypass all WSC API checks \u2013 including Protected Process Light (PPL), digital signatures and other mechanisms \u2013 Defendnot injects its DLL into Taskmgr.exe, which is signed and already considered as trusted by Microsoft. The tool then registers the fake antivirus, prompting Microsoft Defender to immediately turn off and leave the device without active protection.<\/p>\n

On top of that, Defendnot allows the user to assign any name to the \u201cantivirus\u201d. Similarly to its predecessor, this project became a hit on GitHub, having been starred 2100 times at the time of writing. To install Defendnot, the user must have administrator rights (which employees most likely have on personal devices).<\/p>\n

How to protect corporate infrastructure from BYOD misuse<\/h2>\n

Defendnot and no-defender are positioned as research projects, with both tools demonstrating how trusted system mechanisms can be manipulated to disable protective functions. The conclusion is obvious: you can\u2019t always trust what Windows says.<\/p>\n

Therefore, so as not to endanger your company\u2019s digital infrastructure, we recommend beefing up its BYOD policy with a number of additional security measures:<\/p>\n