Rather than tampering with Defender processes or registry keys, DefendNot takes a different approach by registering a fake antivirus through the Windows Security Center (WSC) COM interface. Because Defender is built to step aside when third-party antivirus software is present, this spoofed registration triggers Windows’ own conflict resolution logic. Technical Breakdown: Abusing Windows’ Own Conflict Resolution At the core of DefendNot’s technique is the Windows Security Center (WSC), a native Windows component responsible for managing security products like antivirus and EDR solutions. It registers itself as a fake antivirus inside WSC, convincing Windows to do the work of disabling Defender on its behalf. These paths are normally used by Windows to track legitimate antivirus products. Once those keys are in place, WSC accepts the registration as valid and replaces the Defender entry with the spoofed antivirus. Detection Mechanisms Although Microsoft Defender for Endpoint’s logging is degraded once DefendNot is active, defenders can still detect its activity. Each of these contains a GUID that may appear arbitrary, but these GUIDs represent the spoofed antivirus registered by DefendNot alongside the legitimate Defender entry. The registry entries also store metadata pointing to the DLL responsible for handling antivirus or AMSI functions, giving defenders another way to confirm tampering. Detection Opportunities Monitoring for registry modification and creation events under the following keys can provide strong indicators of DefendNot’s presence: HKLM\SOFTWARE\Microsoft\Security Center\Provider\AV HKLM\SOFTWARE\Microsoft\AMSI\Providers\ WMI\AutoLogger\DefenderAuditLogger WMI\AutoLogger\DefenderApiLogger HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks We've published detection and threat hunting criteria to help security teams identify DefendNot activity. This involves: Deleting persistence-related registry keys under the TaskCache path Removing spoofed provider entries at: HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av HKLM\SYSTEM\CurrentControlSet\Services\AMSI\Providers Deleting the associated DLL listed in the InProcServer32 path under the spoofed antivirus GUID Once these artifacts are removed, restart the machine and confirm Defender’s operational status by running: Get-MpComputerStatus This validation ensures that spoofed antivirus registrations have been cleared and that Microsoft Defender is once again actively protecting the system. Instead of disabling Microsoft Defender through brute force techniques, it convinces Windows that another antivirus product is already installed and trusted. Attackers are increasingly building tools designed to blind security products, whether through aggressive EDRKillers like KillerUltra or deceptive techniques like DefendNot.