Email or username:

Password:

Forgot your password?
VessOnSecurity

Oh, cool somebody finally figured it out...

As you probably know, the Microsoft Security Center has an API that lets you query which AV is installed and whether it is up-to-date.

What is less well-known, is that it also has another, not publicly known API, that lets you tell it "I'm installing another AV now, please disable Defender". This is what all other AV products use. Microsoft has provided to them documentation of this API but under NDA.

Many years ago, I made a proof-of-concept - a small VBScript script that would use this API via WMI to "install" an imaginary AV, thus turning off Defender - but since it was based on information learned under NDA, I obviously couldn't make it public.

Now somebody has reverse-engineered the API from AVAST and has done pretty much the same (albeit a bit over-complicated) in C++:

github.com/es3n1n/no-defender

19 comments
hamato

@bontchev Another shattering triumph of security by obscurity!

Kotaro

@bontchev@infosec.exchange Wow, if it is abused, the average user will not be able to get away with it.

Jessie Nabein :neofox_peek_owo:

@bontchev and they've hosted it on GitHub, a Microsoft owned git service... :blobcatfacepalm:

VessOnSecurity

@tay @jessienab Yeah, the driver. That's why I said that the implementation is a bit over-complicated. It's not really necessary to do this; you can do it with WMI calls.

Karl

@bontchev You mean that nobody thought of understanding how AV software disable Defender up to this point?

That's hard to believe. If I wanted to write malware, that's one of the first things I'd be looking at. Any good spy movie involves security guards shifts.

VessOnSecurity

@karl Well, it's the first implementation of this idea that I have seen. If there are others, I simply don't know them.

It's a bit counter-intuitive, because the idea is not "disable Defender" (although this is what happens); the idea is "tell the Security Center what AV I am installing".

Euph0r14

@bontchev You’ve heard of security through obscurity, now get ready for:

security through NDA

Chris

@Euph0r14 @bontchev Don't worry, MS is changing everything to AI, which will make all these crutches unnecessary, provide perfect security and save the world, all at once!

Chris

@Euph0r14 @bontchev or as we call it in the enterprise: „compliance“

Rob Carlson

@bontchev Hopefully this is vigorously cloned because I assume Microsoft is going to memory hole this as soon as it gets noticed.

Stephan

@bontchev The only surprising thing is that no real-world malware did that already.

Ti Kallisti

@bontchev Microsoft just keeps collecting Ws this week.

buherator
@bontchev author is doing God's work here, these is incredibly useful to run test environments (unrelated to security)
Tim Ward ⭐🇪🇺🔶 #FBPE

@bontchev Yes, well, security-by-obscurity has never actually worked in the long term, has it.

VessOnSecurity

@TimWardCam Well, in the long run we're all dead. This particular thing managed to remain obscure for about 3 decades. (It's as old as Defender itself.)

Григорий Клюшников

I "disabled" Windows Defender on my VM by simply deleting it while ignoring NTFS permissions.

Go Up