{"id":28605646,"url":"https://github.com/es3n1n/defendnot","last_synced_at":"2026-03-05T11:03:37.679Z","repository":{"id":292292091,"uuid":"979241345","full_name":"es3n1n/defendnot","owner":"es3n1n","description":"An even funnier way to disable windows defender. (through WSC api)","archived":false,"fork":false,"pushed_at":"2025-11-23T18:08:34.000Z","size":82,"stargazers_count":3003,"open_issues_count":3,"forks_count":269,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-11-23T20:14:30.793Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://dnot.sh/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/es3n1n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-07T08:00:20.000Z","updated_at":"2025-11-23T18:06:53.000Z","dependencies_parsed_at":"2025-05-31T12:42:58.140Z","dependency_job_id":"2c55e329-e549-4e3c-9a0d-240ed963e0db","html_url":"https://github.com/es3n1n/defendnot","commit_stats":null,"previous_names":["es3n1n/defendnot"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/es3n1n/defendnot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/es3n1n%2Fdefendnot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/es3n1n%2Fdefendnot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/es3n1n%2Fdefendnot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/es3n1n%2Fdefendnot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/es3n1n","download_url":"https://codeload.github.com/es3n1n/defendnot/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/es3n1n%2Fdefendnot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30121088,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T10:44:24.758Z","status":"ssl_error","status_checked_at":"2026-03-05T10:44:15.079Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-11T19:01:25.484Z","updated_at":"2026-03-05T11:03:37.624Z","avatar_url":"https://github.com/es3n1n.png","language":"C++","funding_links":[],"categories":["C++","杀毒免杀_逆向工程","others"],"sub_categories":["资源传输下载"],"readme":"# defendnot\n\nAn even funnier way to disable windows defender.\n\nDefendnot is a successor of [no-defender](https://github.com/es3n1n/no-defender).\n\n![](https://i.imgur.com/F9gWA92.png)\n\n\u003e [!CAUTION]\n\u003e **Permitted Use Notice**: \n\u003e \n\u003e Using this tool to facilitate malware distribution, cybercrime, unauthorized access, evading detection, or any illegal activity is strictly prohibited.\n\u003e \n\u003e Users assume all legal responsibility for how they use this tool and any consequences thereof. You must comply with all applicable local, state, federal, and international laws when using this tool.\n\u003e \n\u003e By downloading, installing, or using this tool, you acknowledge that you have read, understood, and agree to these terms.\n\n## Installation\n\n\u003e [!TIP]\n\u003e You may need to temporarily disable realtime and tamper protection before proceeding, otherwise defender will block `defendnot` binaries due to the `VirTool:Win64/Defnot.A` detection. \n\n### One-liner\n\nOpen the powershell as administrator and execute any of these:\n\n```powershell\n# Example 1: Basic installation\nirm https://dnot.sh/ | iex\n\n# Example 2: With custom AV name\n\u0026 ([ScriptBlock]::Create((irm https://dnot.sh/))) --name \"Custom AV name\"\n\n# Example 3: Without allocating console\n\u0026 ([ScriptBlock]::Create((irm https://dnot.sh/))) --silent\n```\n\n\u003e [!NOTE]\n\u003e As seen in examples 2 and 3, you can pass the commandline arguments to the installer script and it will forward them to `defendnot-loader`. For reference what commandline arguments are allowed, see the `Usage` section below.\n\n\u003e [!NOTE]\n\u003e You can also directly use the 'longer' version of installer script url, which is `https://raw.githubusercontent.com/es3n1n/defendnot/refs/heads/master/install.ps1`\n\n### Manual\n\nDownload the [latest](https://github.com/es3n1n/defendnot/releases/latest) release, extract it somewhere and launch `defendnot-loader`.\n\n## Usage\n\n```commandline\nUsage: defendnot-loader [--help] [--version] [--name VAR] [--disable] [--verbose] [--silent] [--autorun-as-user] [--disable-autorun]\n\nOptional arguments:\n  -h, --help         prints help message and exits\n  --version          shows version and exits\n  -n, --name         av display name [default: \"dnot.sh\"]\n  -d, --disable      disable defendnot\n  -v, --verbose      verbose logging\n  --silent           do not allocate console\n  --autorun-as-user  create autorun task as currently logged in user\n  --disable-autorun  disable autorun task creation\n```\n\n## How it works\n\nThere's a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there's some other antivirus in the hood and it should disable Windows Defender.  \nThis WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation.\n\nThe initial implementation of [no-defender](https://github.com/es3n1n/no-defender) used thirdparty code provided by other AVs to register itself in the WSC, while `defendnot` interacts with WSC directly.\n\n## Limitations\n\n- **Needs to stay on disk:**  \n  To keep the AV registration persistent after reboot, `defendnot` adds itself to autorun. That means the binaries have to remain on your system for the Defender \"disable\" to stick. (Yeah, I wish it were more elegant too.)\n  \n- **No support for Windows Server:**  \n  The Windows Security Center (WSC) service doesn’t exist on Windows Server editions, so `defendnot` *won’t* work there. See [#17](https://github.com/es3n1n/defendnot/issues/17).\n\n- **Defender Detection:**  \n  Not surprisingly, Windows Defender really doesn’t like `defendnot` and will flag or remove it as `VirTool:Win64/Defnot.A`. You’ll need to (temporarily) disable Defender’s real-time and tamper protection to install.\n\n## Legitimate Use Cases\n\n- Reducing resource consumption in development environments\n- Testing system performance under different security configurations\n- Educational research on Windows security mechanisms\n- Home lab experimentation and learning\n\n\u003e [!IMPORTANT]\n\u003e If your intended usage falls outside these legitimate use cases, support in issues/DMs might be denied without any further explanations.\n\n## Writeup\n\n[How I ruined my vacation by reverse engineering WSC](https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/)\n\n## Special thanks\n\n* [mrbruh](https://mrbruh.com) for poking me to research this topic\n* [pindos](https://github.com/pind0s) for providing their machine for WSC service debugging\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fes3n1n%2Fdefendnot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fes3n1n%2Fdefendnot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fes3n1n%2Fdefendnot/lists"}