A new tool called 'Defendnot' tricks Windows into disabling Microsoft Defender by registering a fake antivirus product using an undocumented Windows Security Center API. Created by researcher es3n1n, it bypasses security features by injecting a dummy antivirus DLL into a trusted system process, effectively leaving devices without active protection. Microsoft Defender has flagged Defendnot as a threat, highlighting vulnerabilities in trusted system features.

Microsoft is introducing a new capability in Defender for Endpoint that automatically blocks communication with undiscovered devices to prevent lateral movement by attackers. This feature isolates the IP addresses of unboarded devices, ensuring they cannot communicate with other devices on the network. Admins can easily manage the containment through the Action Center whenever necessary.