Windows Defender Bypass Tool Shared On GitHub

The "No Defender" tool requires admin privileges, another reason not to run Windows as an admin.

by Paul Shread May 29th, 2024

Share on LinkedInShare on Twitter

A GitHub project that disables Windows Defender and firewall is generating buzz among cybersecurity researchers.

Will Dormann, a senior vulnerability analyst at CERT, posted about the GitHub project on a Mastodon cybersecurity instance.

“Somebody figured out the secret technique that 3rd-party AV uses to disable Microsoft Defender so that they themselves can run without interference,” Dormann wrote. “This tool uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender.”

Dormann included a screen recording of the tool in action, and it appears to work effectively (screenshot below).

‘No Defender’ Windows Defender bypass

The GitHub project, simply called “No Defender,” is billed as “A fun way to disable windows defender + firewall.”

In a note on the project, repository owner “es3n1n” said they essentially reverse-engineered the API that antivirus vendors use to disable Windows Defender.

“There’s a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there’s some other antivirus in the hood and it should disable Windows Defender,” the note states.

“This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation, so I decided to take an interesting approach for such a thing and used an already existing antivirus called Avast. This AV engine includes a so-called wsc_proxy.exe service, which essentially sets up the WSC API for Avast. With a little bit of reverse engineering, I turned this service into a service that could add my own stuff there.”

One limitation noted by es3n1n is that “to keep this WSC stuff even after reboot, no-defender adds itself (not really itself but rather Avast’s module) to the autorun. Thus, you would need to keep the no-defender binaries on your disk.”

Windows Defender Bypass Requires Admin Privileges

EDR (endpoint detection and response) and antivirus software bypasses aren’t uncommon, as hackers and researchers alike have found ways to disable security defenses.

Security researchers and testers often turn off security defenses in the course of research and testing, so such tools have legitimate uses too. As one commenter noted on the ycombinator Hacker News feed, “Defender is a real irritant when doing security research and is near impossible to turn off completely and permanently. Even using the Group Policy Editor or regedits is not reliable. If you do get it to stop, it will randomly reenable itself weeks later…For the vast majority of people this is a good thing!”

Dormann noted that elevated admin privileges are all that’s required to run the No Defender tool, so Windows users have yet another reason not to run Windows as an admin. “If you don’t log in to Windows as an admin, as we security-conscious people do, then you won’t have as much to worry about,” Dormann wrote.

One Mastodon commenter saw the GitHub tool as an Avast flaw rather than Microsoft’s, noting that “it requires an executable signed with AuthentiCode SigningLevel 7 (“Signed by an Antimalware vendor whose product is using AMPPL”).

“I see this more as a vulnerability of the Avast wsc_proxy.exe component misused here that allows untrusted/unsigned code to interact with it,” said the commenter, who goes by the handle “faebudo.”

The Cyber Express reached out to Microsoft and Avast for comment and will update this article with any response. But Dormann told The Cyber Express the issue is “more of a novelty than a vulnerability per se. Admin-privileged users can do admin things. Which includes reconfiguring the system they’re on. Including kernel-level access.”


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button