Oh, cool somebody finally figured it out...
As you probably know, the Microsoft Security Center has an API that lets you query which AV is installed and whether it is up-to-date.
What is less well-known, is that it also has another, not publicly known API, that lets you tell it "I'm installing another AV now, please disable Defender". This is what all other AV products use. Microsoft has provided to them documentation of this API but under NDA.
Many years ago, I made a proof-of-concept - a small VBScript script that would use this API via WMI to "install" an imaginary AV, thus turning off Defender - but since it was based on information learned under NDA, I obviously couldn't make it public.
Now somebody has reverse-engineered the API from AVAST and has done pretty much the same (albeit a bit over-complicated) in C++:
@bontchev Another shattering triumph of security by obscurity!