Persistent API-level spoofing: While WSC is typically guarded by mechanisms like Protected Process Light (PPL) and signature validation, Defendnot sidesteps these barriers by injecting its code into Taskmgr.exea system-signed, trusted process. From there, it registers the ghost antivirus entry under a spoofed name.Additionally, to ensure it sticks around, defendnot sets up persistence via Windows Task Scheduler, launching itself automatically at login.This POC broadly makes three revelations: how security products interact with the OS under the hood, API-level spoofing can trick even trusted components like Defender, and the sole reliance on WSC for AV detection might be risky.While Microsoft did not respond to emailed questions by the time of publication, there’s online chatter about Microsoft catching up to defendnot and currently flagging the tool as Win32/Sabsik.FL.!mla general heuristic classification used by Defender for potentially malicious or suspicious software.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3989194/a-spoof-antivirus-makes-windows-defender-disable-security-scans.html
