KarstenMay 24, 2024
VessOnSecurity

Oh, cool somebody finally figured it out...

As you probably know, the Microsoft Security Center has an API that lets you query which AV is installed and whether it is up-to-date.

What is less well-known, is that it also has another, not publicly known API, that lets you tell it "I'm installing another AV now, please disable Defender". This is what all other AV products use. Microsoft has provided to them documentation of this API but under NDA.

Many years ago, I made a proof-of-concept - a small VBScript script that would use this API via WMI to "install" an imaginary AV, thus turning off Defender - but since it was based on information learned under NDA, I obviously couldn't make it public.

Now somebody has reverse-engineered the API from AVAST and has done pretty much the same (albeit a bit over-complicated) in C++:

https://github.com/es3n1n/no-defender

GitHub - es3n1n/no-defender: A slightly more fun way to disable windows defender + firewall. (through the WSC api)

A slightly more fun way to disable windows defender + firewall. (through the WSC api) - es3n1n/no-defender

GitHub
May 24, 2024 at 6:56amWeb
Show threadhamatoMay 24, 2024
@bontchev Another shattering triumph of security by obscurity!
Show threadIan Douglas ScottMay 26, 2024

@hamato @bontchev And it's not like obscurity is the only possible solution here. I'd think.

They could allow the API only in executables that are signed by a key on a list of approved anti-virus vendors, perhaps?

Show threadVessOnSecurityMay 26, 2024

@ids1024 @hamato I already covered this in other replies. It's not practical.

Suppose you're a new AV developer. How do you get on that list? There must be a process to ensure that you're indeed an AV developer and not a malware author.

What happens if a code signing cert is stolen? There must be a process for removing entries from that list.

All this means that new developers will face delays to get their product approved, which can be interpreted as anti-competitive practices (and can, in fact, be abused, if Microsoft were so inclined). Microsoft has already been sued for such multiple times and they avoid it like fire.

Show threadChristoph PetrauschMay 26, 2024
@bontchev @ids1024 @hamato how can I get the NDA so that Is can learn about the API? The same arguments as for the certificate based approach apply here.
Show threadVessOnSecurityMay 26, 2024

@hikhvar @ids1024 @hamato AFAIK, there are no significant barriers there. You just tell them "hey, I'm an AV developer, trust me" and they send you the NDA to sign. In this case they are more worried that the information is not publicly leaked than that it is misused.

Maybe they check whether you're an actually existing company or something - I don't know; I've been only on the AV side of this.

Show threadKotesMay 24, 2024
@bontchev Wow, if it is abused, the average user will not be able to get away with it.
Show threadJessie Nabein May 24, 2024
@bontchev and they've hosted it on GitHub, a Microsoft owned git service... 
Show threadtaylor May 24, 2024
@jessienab @bontchev and they included what I assume are Avast binaries
Show threadVessOnSecurityMay 24, 2024
@tay @jessienab Yeah, the driver. That's why I said that the implementation is a bit over-complicated. It's not really necessary to do this; you can do it with WMI calls.
Show threadKarlMay 24, 2024

@bontchev You mean that nobody thought of understanding how AV software disable Defender up to this point?

That's hard to believe. If I wanted to write malware, that's one of the first things I'd be looking at. Any good spy movie involves security guards shifts.

Show threadVessOnSecurityMay 24, 2024

@karl Well, it's the first implementation of this idea that I have seen. If there are others, I simply don't know them.

It's a bit counter-intuitive, because the idea is not "disable Defender" (although this is what happens); the idea is "tell the Security Center what AV I am installing".

Show threadEuph0r14May 24, 2024

@bontchev You’ve heard of security through obscurity, now get ready for:

security through NDA

Show threadChrisMay 24, 2024
@Euph0r14 @bontchev Don't worry, MS is changing everything to AI, which will make all these crutches unnecessary, provide perfect security and save the world, all at once!
Show threadStephanMay 24, 2024
@bontchev The only surprising thing is that no real-world malware did that already.
Show threadLuna Dragofelis ΘΔ 🏳️‍⚧️May 24, 2024
@erlenmayr @bontchev oh, I think there might already be malware using it - we just haven't caught them yet.
Show threadRAMΞNJVNKIΞ🍜May 24, 2024
@bontchev
Show threadTim Ward ⭐🇪🇺🔶 #FBPEMay 24, 2024
@bontchev Yes, well, security-by-obscurity has never actually worked in the long term, has it.
Show threadVessOnSecurityMay 24, 2024
@TimWardCam Well, in the long run we're all dead. This particular thing managed to remain obscure for about 3 decades. (It's as old as Defender itself.)
Show threadTim Ward ⭐🇪🇺🔶 #FBPEMay 24, 2024
@bontchev Impressive!
Show threadГригорий КлюшниковMay 24, 2024
I "disabled" Windows Defender on my VM by simply deleting it while ignoring NTFS permissions.
Show threadKevin Karhan May 25, 2024
@bontchev so basically #Windows security if fucked...
Show threadVessOnSecurityMay 25, 2024

@kkarhan Well, it is, but there isn't an easy solution to this particular problem. Consider:

- You shouldn't use 2 AV products on the same machine. Like, you try to copy a file, the on-access component of AV1 sees this and starts scanning it. But for that it accesses it, which is seen by AV2 and its on-access component starts scanning too. Which access is seen by AV1 and... well, you get the picture.

- The *honest* option would be to let the use uninstall Defender and install another AV. But, first, Microsoft doesn't want it uninstalled and, second, Microsoft wants it to take over if the other AV is uninstalled for some reason, so that the machine is never left unprotected.

- Besides, the Security Center is designed to tell the user which AV is installed and whether it is up-to-date. For that, the AV products need an API to communicate this information to it.

- It's theoretically possible to maintain a whitelist of "approved" AV products to install - but this would be slow and cumbersome to maintain, new products would have trouble getting to the market, and Microsoft hates being accused of anti-competitive practices.

See where I am going? It was a sequence of moderately reasonable decisions that lead to this mess.

Show threadKevin Karhan May 25, 2024

@bontchev Personally, I think that all #malware security should be part of the package of any #paid and espechally #CCSS disto / OS.

Show threadMarcos DioneMay 25, 2024
@bontchev security by obscurity in the twentieth... first... century!!?!?!
Show threadsusieMay 25, 2024
@bontchev This is neat. I've been using Defender Control (dControl or dfControl depending where you look for the name) to do this. Always nice to have something more open than a random exe doing who knows what. (I have not had issues with Defender Control in the many years I've used it though, but that's just personal experience). Link for this, but of course I don't recommend to use it: https://www.sordum.org/9480/defender-control-v2-1/ (Yes, it still works even though they said development cancelled in 2022)
Defender Control v2.1

In Windows there is no option to completely turn off Microsoft Defender , Defender control is a Portable freeware to disable Ms Defender.

Sordum
Show threadNick's worldMay 25, 2024
@serrebi @bontchev Oh, this is cool.
Show threadNikola Orsinov [Joseph Grimaldi]May 25, 2024
@bontchev
But installing Antiviruses and thus calling these API still requires a UAC prompt... right?
Show threadVessOnSecurityMay 25, 2024

@orsinov Probably, although I honestly don't remember. It's been nearly 3 decades since I wrote the PoC I mentioned.

Of course, there are multiple ways of bypassing the UAC...