Why Your Antivirus Might Be Taking a Coffee Break: Unmasking the No-Defender Hack
John Moutos reveals a tool that hijacks Avast’s proxy to disable Windows Defender. While this trick could soon be a favorite among threat groups, detecting it is as easy as monitoring event logs and blocking Avast’s certificate. Dive into the diary for more on defense…
Hot Take:
Who needs superheroes when you have malware that can convince Windows Defender to take a nap? This new utility is the ultimate “Sorry, not sorry” to Microsoft’s built-in antivirus!
Key Points:
- New utility disables Windows Defender by registering as the main provider through WSC proxy abuse.
- The tool exploits an Avast proxy app to access necessary WSC APIs.
- Detection possible by monitoring “SecurityCenter” Windows event log for event ID 15.
- Blocking Avast signing certificates through AppLocker can hinder the tool’s effectiveness.
- YARA rule provided for detecting Avast WSC Proxy components used by the tool.
Membership Required
You must be a member to access this content.