- Advertisement -
- A security researcher has built up a program that sees the operating system as an antivirus
- Because two AV programs cannot be carried out at the same time, Windows Defender expands itself
- Previous iteration was removed for copyright infringement
Hackers can now easily disable your Windows Defender program by registering a fake antivirus on your computer. To do that, they use a new tool called Defennot, recently released by a security researcher with the alias ES3N1N.
As they have explained, Defensenot uses a previously non-documented Windows Security Center (WSC) API, who use antivirus programs from third parties to tell the operating system If they are performed on the device or not.
Usually two or more antivirus Programs cannot be carried out on one device at the same time due to different conflicts. As a result, Windows Defender automatically switches itself off when it teaches that another antivirus is installed.
Spotted by defender
According to Bleeping computerThis is the second attempt by the researcher to build this type of solution. The original program, which was “inflammed” and Viral was removed shortly after the release, was removed after a digital millennium copyright act request. It appears that ES3N1N Code used an antivirus product from third parties to falsify the registration with WSC for a program they called no-defender.
This apparently did not go well with the developers of that solution from third parties, who then demanded that ES3N1N dropped the program.
After the Takedown, the researcher built defendnot with a dummy antivirus DLL all over again. It is also supplied with a Autorun function, so that it can start automatically as soon as the user signs up at Windows.
It is clear that the tool is not designed to be used in a malignant way, but it is safe to assume that it will be abused (or threat actors can easily make their own versions). In the past, threat actors were seen that use different tactics to eliminate people’s antivirus programs, such as abusing admin rights, tampering with the register, blocking updates, installing fake antivirus software or exploiting various errors in solutions from third parties.
Happy, Microsoft Defender can now defend and quarantine defend as a ‘win32/sabsik.fl.! Ml;.
Maybe you like it too
- Advertisement -