- A security researcher created a program that the operating system sees as an antivirus
- Since two AV programs cannot be executed at the same time, Windows defending turns off
- The previous iteration for the violation of copyright was eliminated
Computer pirates can now easily turn off their Windows defense program registering a false antivirus on their computer. To do that, they use a new tool called Defendnot, recently launched by a security researcher with the alias Es3n1n.
As they explained, Defundot takes advantage of an API of the Windows Security Center (WSC) previously undocumented, that third -party antivirus programs use to tell the operating system if they are executed on the device or not.
In general, two or more antivirus programs cannot be executed in a single device at the same time due to several conflicts. As a result, Windows Defender is automatically deactivated, when you find out that another antivirus has been installed.
Seen by the defender
According BleepingcomputerThis is the researcher’s second attempt to build this type of solution. The original program, which “exploded” and went viral shortly after its launch, was withdrawn after a request from the copyright law of the digital millennium. It turns out that ES3N1N used a code of a third-party antivirus product to falsify the registration with WSC for a program called Non-Defender.
Apparently, this did not sit well with the developers of that third -party solution, which subsequently demanded that it will take the program.
After the demolition, the researcher built Defendot with a fictional DLL antivirus from scratch. It also comes with an Authorun function, which allows you to start automatically as soon as the user logs in Windows.
Obviously, the tool was not designed to be used in a malicious way, but it is safe to assume that it will be abused (or threat actors could simply create their own versions). In the past, threat actors were seen to implement several tactics to deactivate people’s antivirus programs, such as abusing administration rights, manipulating registration, blocking updates, installing false antivirus software or exploiting several defects in third -party solutions.
Fortunately, Microsoft’s defender can now detect and quarantine defendot as’ win32/sabsik.fl.! Ml;.
Through Bleepingcomputer
