9
This wasn’t an easy feat as Windows has checks to ensure the antivirus is real, involving registry names and signed binaries. The researcher used tools like dnSpy, Process Monitor, and manual inspection to see how legitimate antivirus tools behaved when registering with WSC.
“From my last year’s courtesy, I knew that WSC was somehow validating the process that calls these APIs, my guess was that they are validating the signatures, which was indeed a correct guess,” es3n1n added.
es3n1n’s earlier project, no-defender, was removed from GitHub following a DMCA takedown request by the software vendor.
