A new tool called ‘Defendonut’ can disable the Microsoft defender on Windows devices by registering a fake antivirus product, even when no real AV is installed.
The trick uses an unspecified Windows Security Center (WSC) API that uses antivirus software to tell Windows to tell Windows that it is installed and is now managing real -time security for the device.
When an antivirus program is registered, Windows automatically neutralizes the Microsoft defender to avoid conflicts from running several security applications on the same device.
Rescue equipmentPrepared by researcher eS3n1nBy registering a fake antivirus product, it abuses this API that completes all the verification checks of Windows.
The device is based on a previous project called called DeafenderWhich used the code from a third-party antivirus product to spoil registration with WSC. After the seller filed the DMCA Techdown, the earlier equipment was pulled from Github.
“Then, a few weeks after the release, the project blew up a lot and received ~ 1.5k stars, then the use of antivirus developers I was filing an DMCA takedown request and I really wanted to do anything, so just erased everything and called in a day,” Developer tells in one. blog post,
Defendnot avoids copyright issues by creating functionality from scratches through a dummy antivirus DLL.
Generally, the WSC API is preserved through the preserved process light (PPL), valid digital signature and other features.
To bypass these requirements, Defendonott injects its DLL into a system process, taskmgr.exe, which is signed and already reliable by microsoft. From within that process, it can register dummy antivirus with a spuff display name.
Once registered, the Microsoft defender immediately closes itself, causing no active protection on the device.
Source: Bleepingcomputer
The tool also includes a loader that passes the configuration data through the Ctx.bin file and allows you to set an antivirus name that you want to use, turn off the registration, and enable worm logging.
For perseverance, Defendonut Windows forms an autorun through the task scheduler so that it starts when you log in to Windows.
While Defendonott is considered a research project, the equipment indicates how reliable system facilities can be manipulated to shut down security features.
Microsoft defender currently a ‘Win32/sabsik.fl! Ml! trace.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
