{"id":6231,"date":"2025-05-19T20:59:34","date_gmt":"2025-05-19T12:59:34","guid":{"rendered":"https:\/\/cicserver.com\/a-spoof-antivirus-makes-windows-defender-disable-security-scans\/"},"modified":"2025-05-19T20:59:34","modified_gmt":"2025-05-19T12:59:34","slug":"a-spoof-antivirus-makes-windows-defender-disable-security-scans","status":"publish","type":"post","link":"https:\/\/cicserver.com\/de\/a-spoof-antivirus-makes-windows-defender-disable-security-scans\/","title":{"rendered":"A spoof antivirus makes Windows Defender disable security scans"},"content":{"rendered":"<p><br \/>\n<br \/><img decoding=\"async\" src=\"https:\/\/www.csoonline.com\/wp-content\/uploads\/2025\/05\/3989194-0-22062300-1747654226-shutterstock_editorial_1450286750.jpg?quality=50&amp;strip=all\" \/><\/p>\n<div>\n<p>This wasn\u2019t an easy feat as Windows has checks to ensure the antivirus is real, involving registry names and signed binaries. The researcher used tools like dnSpy, Process Monitor, and manual inspection to see how legitimate antivirus tools behaved when registering with WSC.<\/p>\n<p>\u201cFrom my last year\u2019s courtesy, I knew that WSC was somehow validating the process that calls these APIs, my guess was that they are validating the signatures, which was indeed a correct guess,\u201d es3n1n added.<\/p>\n<p>es3n1n\u2019s earlier project, no-defender, was removed from <a href=\"https:\/\/github.com\/es3n1n\/no-defender\">GitHub<\/a> following a <a href=\"https:\/\/www.csoonline.com\/article\/510403\/application-security-hidden-holes-dmca-and-software-vulnerabilities.html\">DMCA<\/a> takedown request by the software vendor.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>This wasn\u2019t an easy feat as Windows has checks to ensure the antivirus is real, involving registry names and signed binaries. The researcher used tools like dnSpy, Process Monitor, and manual inspection to see how legitimate antivirus tools behaved when registering with WSC. \u201cFrom my last year\u2019s courtesy, I knew that WSC was somehow validating [&hellip;]<\/p>","protected":false},"author":3,"featured_media":6232,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-6231","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blog"},"_links":{"self":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/6231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/comments?post=6231"}],"version-history":[{"count":0,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/6231\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media\/6232"}],"wp:attachment":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media?parent=6231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/categories?post=6231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/tags?post=6231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}