Defendnot tool fools Windows into disabling Microsoft Defender using a spoofed security trick

A new project called Defendnot can fool Windows into disabling Microsoft Defender without actually installing any antivirus. The tool pretends to be a legitimate antivirus product and passes Windows Security Center’s checks without issue.

Defendnot tool tricks Windows into disabling Microsoft Defender, leaving your system vulnerable

This method quietly disables Microsoft Defender by spoofing an AV registration. No popups, no system alerts, just silent deactivation. Defendnot works by injecting a fake antivirus DLL into Taskmgr.exe, a trusted system process signed by Microsoft.

Once injected, the tool registers itself with Windows, making Microsoft Defender think real-time protection is already covered. As a result, Windows Defender deactivates completely, leaving the system vulnerable.

The Defendnot tool, created by researcher es3n1n, avoids older copyright issues by building everything from scratch. It doesn’t rely on any third-party antivirus code like the earlier no-defender project, which GitHub removed previously.

You can configure Defendnot to use a custom AV name, enable verbose logs, or auto-start with Windows.
It uses a ctx.bin file to load these settings. A scheduled task handles persistence after reboot.

The key idea is to Defendnot disable Microsoft Defender without triggering Windows security alerts.
It achieves that by exploiting WSC behavior and operating from a trusted process.

While Microsoft has flagged the tool as Win32/Sabsik.FL.!ml, it still highlights a real vulnerability in Windows’ trust model. Even with protections like Protected Process Light, spoofing antivirus presence remains possible.