UnDefend analysis for disabling Windows Defender

Previously, researcher Nightmare-Eclipse published a tool called UnDefend that blocks Windows Defender signature updates, rendering it inoperable. Unlike earlier exploits such as BlueHammer and RedSun, this method does not require privilege escalation and can be executed from the context of a standard user.

UnDefend leverages standard file-locking mechanisms that have existed since the Windows NT era to prevent antivirus database updates. After successful execution, Defender stops receiving updates, and the system may incorrectly display in the EDR console that protection is active and up to date.

📎 Article: https://nefariousplan.com/posts/undefend

💬 Discuss