Detecting defendnot: A Tool for Silently Disabling Windows Defender

Defendnot is a utility designed by es3n1n to disable Microsoft Defender by abusing a lesser-known mechanism in Windows: the Windows Security Center (WSC) API. Originally published on GitHub, defendnot exemplifies a class of dual-use tools that blur the line between red-team utility and malware component, and it has growing relevance as attackers seek stealthier ways to neutralize built-in protections.

What Does It Do?

Rather than directly killing Defender processes or tweaking registry keys (both noisy techniques often flagged by EDRs), defendnot registers itself as a third-party antivirus via WSC, which causes Windows Defender to voluntarily disable itself.

Windows assumes there’s no need to run Defender if another AV is present, and defendnot exploits this assumption. What makes it more interesting is that it interacts with the undocumented WSC API directly – a notable departure from earlier versions of the tool (no-defender) which relied on third-party AV code.

Why It Matters

While defendnot was released as the creator’s experiment and can be used as a red-team tool, its stealthy approach to disabling Defender has real implications for post-exploitation tooling and malware design. Unlike registry edits or process tampering, WSC-based disabling is quiet, effective, and unlikely to raise alarms in many environments.

Our contribution: A YARA Rule for DefendNot

To help surface defendnot binaries in file collections and retrohunt datasets, we created a YARA rule based on unique strings and code artifacts found in the public build of the tool. This rule is especially useful for catching staged tooling or post-compromise artifacts. With Stairwell, you don’t just deploy the rule. You immediately see which files across your environment match, giving you instant visibility into potential threats. Load it into our platform and turn a single rule into immediate, enterprise-wide coverage.