Last week a new tool was brought to my attention, No-Defender, a tool published on GitHub that can deactivate Windows Defender by exploiting the Windows Security Center (WSC) registration mechanism.
The method is typically used by antivirus (AV) and endpoint detection and response (EDR) software to avoid conflicts with Windows Defender by becoming the primary security provider on the system.
This utility takes advantage of the WSC proxy application included in Avast’s software suite. The tool masquerades as a legitimate AV provider by accessing the WSC api necessary for registration, sidelining Windows Defender.
** Please note, as of 08/06/2024, the No-Defender utility has been subject to a DMCA takedown and has since been removed from GitHub. **
Detection and Mitigation
At FoxTech, we store customers’ endpoint log files for 12 months, and so, having read about this attack, I could search back through the customer logs to see whether it had been used on any machines. Fortunately, there was no evidence of such an attack.My next task was to write a rule to alert should a similar attack occur in the future.
A rule was added to monitor the Security Center Windows event log for EventID: 15 identifying when any unauthorised applications are registered as security providers, replacing Windows Defender.
Conclusion
The No-Defender tool illustrates a novel approach to disabling Windows Defender through WSC registration abuse. Although No-Defender has now been removed from GitHub, understanding its mechanics and monitoring for specific event IDs can significantly enhance system security against similar threats.
References:
