No-Defender can deactivate windows defender

Last week a new tool was brought to my attention, No-Defender, a tool published on GitHub that can deactivate Windows Defender by exploiting the Windows Security Center (WSC) registration mechanism.
 
The method is typically used by antivirus (AV) and endpoint detection and response (EDR) software to avoid conflicts with Windows Defender by becoming the primary security provider on the system.
 
This utility takes advantage of the WSC proxy application included in Avast’s software suite. The tool masquerades as a legitimate AV provider by accessing the WSC api necessary for registration, sidelining Windows Defender.
** Please note, as of 08/06/2024, the No-Defender utility has been subject to a DMCA takedown and has since been removed from GitHub. **

 

Detection and Mitigation

At FoxTech, we store customers’ endpoint log files for 12 months, and so, having read about this attack, I could search back through the customer logs to see whether it had been used on any machines. Fortunately, there was no evidence of such an attack.
 
My next task was to write a rule to alert should a similar attack occur in the future.
 
A rule was added to monitor the Security Center Windows event log for EventID: 15 identifying when any unauthorised applications are registered as security providers, replacing Windows Defender.
 

Conclusion

The No-Defender tool illustrates a novel approach to disabling Windows Defender through WSC registration abuse. Although No-Defender has now been removed from GitHub, understanding its mechanics and monitoring for specific event IDs can significantly enhance system security against similar threats.
 
References:
giles.atkinson

Risk and Security Management

Ever found yourself blindsided by a vulnerability you never knew existed? Picture this: worn-out brake pads lead to a sudden failure at an intersection, propelling you into oncoming traffic. Often in risk impact analysis, we

Read More »
iain.gibbons

What is Vulnerability Scanning?

Vulnerability scanning is the use of specialist tools and expert analysis to identify any vulnerabilities or weaknesses in your IT system, which could open the door to hackers.

Read More »