A newly discovered tool called Defendnot is making headlines in the cybersecurity world for its ability to turn off Microsoft Defender on Windows systems. What makes this tool so dangerous is that it tricks Windows into thinking another antivirus program is already installed—even when there isn’t one. This clever bypass allows Windows Defender to be disabled without any real antivirus taking its place, leaving the system completely unprotected.
How Defendnot Works
Windows has a built-in security system called Windows Security Center (WSC). This component checks if antivirus software is installed and running. If a third-party antivirus is active, Windows disables Microsoft Defender automatically to avoid conflicts between two security tools running at the same time.
Cybersecurity researcher es3n1n developed Defendnot by exploiting an undocumented WSC API. This API is normally used by real antivirus software to register itself with Windows. However, Defendnot uses it to register a fake antivirus, fooling Windows into thinking the system is protected when it’s actually not.
Based on a Previous Tool
Defendnot is inspired by an earlier project called no-defender, which used parts of an actual antivirus program to fake registration with the Windows Security Center. That earlier project was taken down from GitHub after the antivirus software vendor filed a DMCA complaint for using their copyrighted code.
To avoid the same problem, Defendnot was built entirely from scratch, including a dummy antivirus DLL (Dynamic Link Library). This makes it different from no-defender because it no longer uses copyrighted material and doesn’t depend on any third-party antivirus code.
Bypassing Security Protections
Normally, Windows requires strict rules for an antivirus product to be registered. These include Protected Process Light (PPL) protections, valid digital signatures, and other verification methods. These rules are designed to stop unauthorized software from pretending to be security tools.
However, Defendnot bypasses these protections by injecting its fake antivirus code into a trusted system process, specifically Taskmgr.exe (Windows Task Manager). Since Task Manager is digitally signed and trusted by Microsoft, anything running inside it is also seen as trusted.
Once Defendnot is injected into Task Manager, it uses the spoofed display name to register itself as an antivirus program. As a result, Microsoft Defender turns itself off, believing that a different security solution is now protecting the device.
Tool Features and Configuration
Defendnot isn’t just a simple one-click tool. It includes a loader that accepts configuration settings through a file named ctx.bin. With this file, users can:
Set the name of the fake antivirus
Choose whether to register or unregister the fake antivirus
Enable verbose logging for better tracking
To make sure the tool runs every time the system starts, Defendnot also creates a scheduled task using Windows Task Scheduler. This gives it persistence, which is often used by malware to stay active on a system even after a reboot.
Security Risks and Microsoft Response
Although Defendnot was released as a research project, it highlights serious security loopholes in the way Windows handles antivirus registration. If used by malicious actors, it could lead to widespread deactivation of Microsoft Defender, leaving systems vulnerable to viruses, ransomware, spyware, and more.
Microsoft is aware of the tool and has added detection for it in Microsoft Defender. The tool is now flagged as:
Win32/Sabsik.FL.!ml
If detected, Defender will quarantine Defendnot to prevent it from running.
Why This Matters
The release of Defendnot raises important questions about how Windows verifies antivirus software and how easily those checks can be faked. By simply pretending to be an antivirus, this tool can turn off real-time protection—something that should not be possible with modern security standards.
For businesses and individuals who rely on Microsoft Defender for protection, this kind of attack could be devastating. Attackers could use tools like Defendnot to disable security silently, install malware, and carry out attacks without being noticed.
What You Can Do
To protect your system:
Always keep your Windows OS and Defender up to date
Monitor any unusual behavior, such as Defender turning off unexpectedly
Use third-party antivirus solutions that provide tamper protection and advanced threat detection
Regularly scan for threats using Microsoft Defender or other trusted tools
Review your scheduled tasks for unknown or suspicious entries
Defendnot shows how trusted Windows features can be abused to disable key security functions. While it’s currently being used for research purposes, it’s only a matter of time before similar methods are adopted by cybercriminals. This discovery highlights the urgent need for Microsoft to tighten security around Windows Security Center APIs and improve the verification of antivirus registration.
Until then, users must stay alert, keep their systems updated, and watch for any signs of Defender being disabled without explanation.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2025-32756: Fortinet Patches FortiVoice Remote Code Execution Flaw
Pingback: Pwn2Own 2025: Mozilla Patches Critical Firefox Vulnerabilities Quickly