{"id":38118,"date":"2025-05-19T00:41:46","date_gmt":"2025-05-18T22:41:46","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=38118"},"modified":"2025-05-19T00:50:08","modified_gmt":"2025-05-18T22:50:08","slug":"windows-10-11-defender-can-be-deactivated-with-a-simple-tool","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/05\/19\/windows-10-11-defender-can-be-deactivated-with-a-simple-tool\/","title":{"rendered":"Windows 10\/11: Defender can be deactivated with a simple tool (Defendnot)"},"content":{"rendered":"<p><img decoding=\"async\" style=\"margin: 0px 10px 0px 0px; display: inline; float: left;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/05\/19\/windows-10-11-defender-mit-simplen-tool-deaktivierbar\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Microsoft has built an interface (API) into Windows 10 and Windows 11 that allows manufacturers of antivirus software to disable Microsoft Defender when they install it. Some people (including a blog reader) have now shown how to deactivate Windows Defender using simple software (<em>no-defender<\/em> or <em>Defendnot<\/em>).<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg09.met.vgwort.de\/na\/fbeda9201e964f37b48b733efe2263c9\" alt=\"\" width=\"1\" height=\"1\" \/>I\u00a0have to add the topic, because German blog reader Tomas Jakobs already pointed out the issue to me on May 9, 2025 (thanks for that). But I'm currently not suffering from a lack of topics and realize at the end of the day that there's a lot I haven't been able to blog about. In addition, there have been personal reasons over the last 14 days (a few days off and bereavement) to cut back a little on the blog.<\/p>\n<h2>no-defender, or security by obscurity<\/h2>\n<p>Tomas Jakobs wrote on May 9, 2025 \"Windows Defender effectively turned off in every Windows and the WSC leveraged!\" and referred to his German blog post <a href=\"https:\/\/blog.jakobs.systems\/micro\/20250509-defender-disabled\/\" target=\"_blank\" rel=\"noopener\">AV-Schutz in jedem Windows ausgehebelt<\/a>.<\/p>\n<p>Jakobs explains in the article that Microsoft has a Windows Security Center (WSC) API in Windows 10 and Windows 11. This API enables the manufacturers of security software to deactivate Windows Defender, which is included in Windows, in order to avoid conflicts. To protect this knowledge, Microsoft has placed everything under NDA (i.e. everything is confidential).<\/p>\n<p>A security researcher with the alias<em> es3n1n<\/em> has come up with the idea of writing software called <em>no-defender<\/em> &#8211; a year ago &#8211; to abuse this WSC API and disable Microsoft Defender in Windows.<\/p>\n<p><a href=\"https:\/\/camo.githubusercontent.com\/14e5fe204cf05258306fb4847e7d590895f4feb6bb6aa0280e40aa6756af2a49\/68747470733a2f2f692e696d6775722e636f6d2f3871794a6f42562e706e67\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" title=\"Windows Defender \u00fcber WSC-API abschalten\" src=\"https:\/\/camo.githubusercontent.com\/14e5fe204cf05258306fb4847e7d590895f4feb6bb6aa0280e40aa6756af2a49\/68747470733a2f2f692e696d6775722e636f6d2f3871794a6f42562e706e67\" alt=\"Windows Defender \u00fcber WSC-API abschalten\" width=\"638\" height=\"320\" \/><\/a><\/p>\n<p>The screenshot above shows the Windows Security page, on which the entry \"github.com \/ esc3n1n\/no-defender\" is listed as virus protection. This means that Windows sees this software as virus protection and deactivates Microsoft Defender.<\/p>\n<p>However, <em>no-defender<\/em> is a dummy that does nothing other than simply pretend to be virus protection for Windows via the API and thus disable Defender. A user only needs local administrator rights to disable the virus protection of the Defender under Windows.<\/p>\n<p>Unfortunately, No-Defender inserts itself into the autostart, writes the developer, in order to retain the WSC functionality even after a restart. Testers must therefore keep the no-defender binaries on the hard disk so that they can be loaded. The whole thing cannot be patched so easily either, as the interface for the antivirus providers would then no longer work.<\/p>\n<p>To protect this knowledge, Microsoft has put it all under NDA (i.e. everything is confidential). According to esc3n1n, there was a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Digital_Millennium_Copyright_Act\" target=\"_blank\" rel=\"noopener\">DMCA<\/a> complaint from an \"unknown\" company that caused GitHub to delete the code from no-defender. Only the screenshot above and some explanations can still be found on <a href=\"https:\/\/github.com\/es3n1n\/no-defender\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>.<\/p>\n<p>Tomas Jakobs published the no-defender repository on <a href=\"https:\/\/codeberg.org\/tomas-jakobs\/no-defender\" target=\"_blank\" rel=\"noopener\">no-defender<\/a> eight months ago. He took this step because the <em>no-defender<\/em> tool on GitHub was deleted due to a DMCA complaint, he writes. In his German <a href=\"https:\/\/blog.jakobs.systems\/micro\/20250509-defender-disabled\/#fn:4\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, Jakobs outlines a few more approaches for obtaining pertinence for no-defender via task scheduling (task <em>defendnot)<\/em> and a registry entry.<\/p>\n<h2>Mention on Bleeping Computer<\/h2>\n<p>The topic and Tomas Jakobs' comments have been lying around on my desk waiting to be picked up. Now I see that my colleague Lawrence Abrams from Bleeping Computer has also taken up the topic over the weekend in the post <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender\/\" target=\"_blank\" rel=\"noopener\">New 'Defendnot' tool tricks Windows into disabling Microsoft Defender<\/a> . Lawrence Abrams has linked to esc3n1n's <a href=\"https:\/\/blog.es3n1n.eu\/posts\/how-i-ruined-my-vacation\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a> with further background information. According to Abrams, Microsoft Defender currently detects Defendnot as \"Win32\/Sabsik.FL.!ml;\" and quarantines the files.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has built an interface (API) into Windows 10 and Windows 11 that allows manufacturers of antivirus software to disable Microsoft Defender when they install it. Some people (including a blog reader) have now shown how to deactivate Windows Defender &hellip; <a href=\"https:\/\/borncity.com\/win\/2025\/05\/19\/windows-10-11-defender-can-be-deactivated-with-a-simple-tool\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,580,1547,2],"tags":[773,47,69,194],"class_list":["post-38118","post","type-post","status-publish","format-standard","hentry","category-issue","category-security","category-software","category-windows","tag-defender","tag-issue","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/38118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=38118"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/38118\/revisions"}],"predecessor-version":[{"id":38120,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/38118\/revisions\/38120"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=38118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=38118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=38118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}