Security through obscurity1 is not working. This is not an allegation, it is a proven fact. Today’s proof has a particularly large impact on worldwide Microsoft Windows installations.
The Windows Security Centre (WSC) API2 has been made to accept any program as an anti-virus solution. The WSC works as follows: If a manufacturer of an AV security solution wants to install his snakeoil, he/she first has to be able to switch off the anti-tempering mechanisms so that it is not identified as malware. Hence the extremely strict non-disclosure of this API until now.
Now anyone with local admin rights can deactivate Windows Defender, at least until the next reboot. A few more steps are necessary to achieve persistence. A service is required, a regular keepalive timestamp must be written into the registry and a few more other steps. However, if, for example, defendnot is re-executed via the task scheduler on every restart, Windows Defender is effectively switched off.
Defendnot is the successor to the no-defender3 presented last year, which still needed a DLL from a snakeoil manufacturer for this step. The solution was DCMA’d4 and made me to clone it on Codeberg5.
And of course there is a clone on Codeberg for the current defendnot as well6.
Microsoft now finds itself in a real dilemma. A short-term change to the WSC and the installation process for snakeoil is almost impossible. Security through obscurity does not work, it never has.
With this in mind,
Tomas Jakobs