Somebody figured out the secret technique that 3rd-party AV uses to disable Microsoft Defender so that they themselves can run without interference.
This tool uses this technique to install a null AV product, thus having the effect of simply disabling Microsoft Defender. https://github.com/es3n1n/no-defender
@wdormann@bontchev Please tell me use of this WSC API at least requires Admin/SYSTEM.
I'm mostly hoping that not habitually logging in as other than a Limited user offers some protection. Obviously if I UAC+adminpassword an trojan installer I'm still toast.
@AthanSpod@wdormann It requires the ability to install programs - probably Admin equivalent. It doesn't require SYSTEM. A user account with Admin privileges can do it.
@wdormann@bontchev there may not be a good option. Pretty sure there'd be pushback on a MS-curated list of accepted antivirus packages. See also, IE, Edge, monopolistic activity investigations.
@fencepost@wdormann Exactly, this was one of the considerations at the time.
Also, don't forget that such a list would have to be kept up-to-date on every Windows machine and that this scheme was invented 3 decades ago when Windows Update didn't exist.
@tony@wdormann It's not exactly an "AV kill switch". It's a way for a newly installed AV product to inform the OS that a new AV product is being installed and which one. It is the OS that (rightfully) decides to disable Defender in such cases.
Yes, there are probably better ways of doing this. But don't forget that this scheme was concocted 3 decades ago, when code signing was a rarely used novelty and Windows Update didn't exist.