“According to the research published by Hackmosphere, the technique works by avoiding the conventional execution path where applications call Windows API functions through libraries like kernel32.dll, which then forwards requests to ntdll.dll before making the actual system call to the kernel.”
Additional Information:
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-1/
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/
Wasn’t there something a few months ago about Microsoft handing out secret API calls to developers of other antivirus products so they can quietly disable Defender during the installation of their product? Some guy had this reverse engineered from an installer…
It’s not a secret. It’s a regkey. You need privs to do it though.