[German]Microsoft has built an interface (API) into Windows 10 and Windows 11 that allows manufacturers of antivirus software to disable Microsoft Defender when they install it. Some people (including a blog reader) have now shown how to deactivate Windows Defender using simple software (no-defender or Defendnot).
I have to add the topic, because German blog reader Tomas Jakobs already pointed out the issue to me on May 9, 2025 (thanks for that). But I'm currently not suffering from a lack of topics and realize at the end of the day that there's a lot I haven't been able to blog about. In addition, there have been personal reasons over the last 14 days (a few days off and bereavement) to cut back a little on the blog.
no-defender, or security by obscurity
Tomas Jakobs wrote on May 9, 2025 "Windows Defender effectively turned off in every Windows and the WSC leveraged!" and referred to his German blog post AV-Schutz in jedem Windows ausgehebelt.
Jakobs explains in the article that Microsoft has a Windows Security Center (WSC) API in Windows 10 and Windows 11. This API enables the manufacturers of security software to deactivate Windows Defender, which is included in Windows, in order to avoid conflicts. To protect this knowledge, Microsoft has placed everything under NDA (i.e. everything is confidential).
A security researcher with the alias es3n1n has come up with the idea of writing software called no-defender – a year ago – to abuse this WSC API and disable Microsoft Defender in Windows.
The screenshot above shows the Windows Security page, on which the entry "github.com / esc3n1n/no-defender" is listed as virus protection. This means that Windows sees this software as virus protection and deactivates Microsoft Defender.
However, no-defender is a dummy that does nothing other than simply pretend to be virus protection for Windows via the API and thus disable Defender. A user only needs local administrator rights to disable the virus protection of the Defender under Windows.
Unfortunately, No-Defender inserts itself into the autostart, writes the developer, in order to retain the WSC functionality even after a restart. Testers must therefore keep the no-defender binaries on the hard disk so that they can be loaded. The whole thing cannot be patched so easily either, as the interface for the antivirus providers would then no longer work.
To protect this knowledge, Microsoft has put it all under NDA (i.e. everything is confidential). According to esc3n1n, there was a DMCA complaint from an "unknown" company that caused GitHub to delete the code from no-defender. Only the screenshot above and some explanations can still be found on GitHub.
Tomas Jakobs published the no-defender repository on no-defender eight months ago. He took this step because the no-defender tool on GitHub was deleted due to a DMCA complaint, he writes. In his German blog post, Jakobs outlines a few more approaches for obtaining pertinence for no-defender via task scheduling (task defendnot) and a registry entry.
Mention on Bleeping Computer
The topic and Tomas Jakobs' comments have been lying around on my desk waiting to be picked up. Now I see that my colleague Lawrence Abrams from Bleeping Computer has also taken up the topic over the weekend in the post New 'Defendnot' tool tricks Windows into disabling Microsoft Defender . Lawrence Abrams has linked to esc3n1n's blog post with further background information. According to Abrams, Microsoft Defender currently detects Defendnot as "Win32/Sabsik.FL.!ml;" and quarantines the files.
If Microsoft were to only allow vendors they approve to disable Defender we would be upset. So the alternative is an API that all vendors can call to disable Defender. It only works when the software is run with Administrator rights.
I know there are some Defender for Endpoint (365 paid version) settings that prevent disabling Defender. And I'm curious if these would also protect against this API method of disabling Defender.
Seems to be a temp disable after so many shut downs defender seems to re enable and then goes after it