VessOnSecurityMay 24, 2024

Oh, cool somebody finally figured it out...

As you probably know, the Microsoft Security Center has an API that lets you query which AV is installed and whether it is up-to-date.

What is less well-known, is that it also has another, not publicly known API, that lets you tell it "I'm installing another AV now, please disable Defender". This is what all other AV products use. Microsoft has provided to them documentation of this API but under NDA.

Many years ago, I made a proof-of-concept - a small VBScript script that would use this API via WMI to "install" an imaginary AV, thus turning off Defender - but since it was based on information learned under NDA, I obviously couldn't make it public.

Now somebody has reverse-engineered the API from AVAST and has done pretty much the same (albeit a bit over-complicated) in C++:

https://github.com/es3n1n/no-defender

GitHub - es3n1n/no-defender: A slightly more fun way to disable windows defender + firewall. (through the WSC api)

A slightly more fun way to disable windows defender + firewall. (through the WSC api) - es3n1n/no-defender

GitHub
Show threadhamatoMay 24, 2024
@bontchev Another shattering triumph of security by obscurity!
Show threadIan Douglas ScottMay 26, 2024

@hamato @bontchev And it's not like obscurity is the only possible solution here. I'd think.

They could allow the API only in executables that are signed by a key on a list of approved anti-virus vendors, perhaps?

Show threadVessOnSecurityMay 26, 2024

@ids1024 @hamato I already covered this in other replies. It's not practical.

Suppose you're a new AV developer. How do you get on that list? There must be a process to ensure that you're indeed an AV developer and not a malware author.

What happens if a code signing cert is stolen? There must be a process for removing entries from that list.

All this means that new developers will face delays to get their product approved, which can be interpreted as anti-competitive practices (and can, in fact, be abused, if Microsoft were so inclined). Microsoft has already been sued for such multiple times and they avoid it like fire.

Show threadChristoph PetrauschMay 26, 2024
@bontchev @ids1024 @hamato how can I get the NDA so that Is can learn about the API? The same arguments as for the certificate based approach apply here.
Show threadVessOnSecurity

@hikhvar @ids1024 @hamato AFAIK, there are no significant barriers there. You just tell them "hey, I'm an AV developer, trust me" and they send you the NDA to sign. In this case they are more worried that the information is not publicly leaked than that it is misused.

Maybe they check whether you're an actually existing company or something - I don't know; I've been only on the AV side of this.

May 26, 2024 at 7:14amWeb