Email or username:

Password:

Forgot your password?
VessOnSecurity's posts Post Back to profile
VessOnSecurity

Oh, cool somebody finally figured it out...

As you probably know, the Microsoft Security Center has an API that lets you query which AV is installed and whether it is up-to-date.

What is less well-known, is that it also has another, not publicly known API, that lets you tell it "I'm installing another AV now, please disable Defender". This is what all other AV products use. Microsoft has provided to them documentation of this API but under NDA.

Many years ago, I made a proof-of-concept - a small VBScript script that would use this API via WMI to "install" an imaginary AV, thus turning off Defender - but since it was based on information learned under NDA, I obviously couldn't make it public.

Now somebody has reverse-engineered the API from AVAST and has done pretty much the same (albeit a bit over-complicated) in C++:

github.com/es3n1n/no-defender

24 May at 6:56 | Open on infosec.exchange
19 comments
hamato

@bontchev Another shattering triumph of security by obscurity!

24 May at 10:23 | Open on mastodon.social
Kotaro

@bontchev@infosec.exchange Wow, if it is abused, the average user will not be able to get away with it.

24 May at 11:47 | Open on kotaro.me
Jessie Nabein :neofox_peek_owo:

@bontchev and they've hosted it on GitHub, a Microsoft owned git service... :blobcatfacepalm:

24 May at 12:07 | Open on wetdry.world
Proxfox Virtual Environment 🦊

@jessienab @bontchev and they included what I assume are Avast binaries

24 May at 13:42 | Open on tech.lgbt
VessOnSecurity

@tay @jessienab Yeah, the driver. That's why I said that the implementation is a bit over-complicated. It's not really necessary to do this; you can do it with WMI calls.

24 May at 14:15 | Open on infosec.exchange
Karl

@bontchev You mean that nobody thought of understanding how AV software disable Defender up to this point?

That's hard to believe. If I wanted to write malware, that's one of the first things I'd be looking at. Any good spy movie involves security guards shifts.

24 May at 12:38 | Open on infosec.exchange
VessOnSecurity

@karl Well, it's the first implementation of this idea that I have seen. If there are others, I simply don't know them.

It's a bit counter-intuitive, because the idea is not "disable Defender" (although this is what happens); the idea is "tell the Security Center what AV I am installing".

24 May at 14:14 | Open on infosec.exchange
Euph0r14

@bontchev You’ve heard of security through obscurity, now get ready for:

security through NDA

24 May at 13:51 | Open on infosec.exchange
Chris

@Euph0r14 @bontchev Don't worry, MS is changing everything to AI, which will make all these crutches unnecessary, provide perfect security and save the world, all at once!

24 May at 17:56 | Open on infosec.exchange
Chris

@Euph0r14 @bontchev or as we call it in the enterprise: „compliance“

24 May at 19:52 | Open on chaos.social
Rob Carlson

@bontchev Hopefully this is vigorously cloned because I assume Microsoft is going to memory hole this as soon as it gets noticed.

24 May at 13:53 | Open on epistolary.org
Stephan

@bontchev The only surprising thing is that no real-world malware did that already.

24 May at 15:23 | Open on chaos.social
Ti Kallisti

@bontchev Microsoft just keeps collecting Ws this week.

24 May at 17:25 | Open on corteximplant.com
RAMΞNJVNKIΞ🍜
buherator
@bontchev author is doing God's work here, these is incredibly useful to run test environments (unrelated to security)
24 May at 18:19 | Open on infosec.place
Tim Ward ⭐🇪🇺🔶 #FBPE

@bontchev Yes, well, security-by-obscurity has never actually worked in the long term, has it.

24 May at 18:30 | Open on c.im
VessOnSecurity

@TimWardCam Well, in the long run we're all dead. This particular thing managed to remain obscure for about 3 decades. (It's as old as Defender itself.)

24 May at 19:31 | Open on infosec.exchange
Григорий Клюшников

I "disabled" Windows Defender on my VM by simply deleting it while ignoring NTFS permissions.

24 May at 20:26
Go Up