UnDefend: Chaotic Eclipse’s third Defender zero-day blocks all signature updates from a standard user — no admin required

Most coverage is calling this a DoS. The code is more structured. Four independent locking mechanisms — ReadDirectoryChangesW watches the Definition Updates staging dir, FILE_SHARE_WRITE but no FILE_SHARE_READ means Windows Update can keep writing but MsMpEng.exe gets STATUS_SHARING_VIOLATION on every load attempt. The backup files are exclusively locked before the main attack even starts. Service-stop hook via NotifyServiceStatusChangeW covers the engine restart path. MRTWorkerThread covers the Malicious Software Removal Tool separately. The README mentions a fifth mechanism — lying to the EDR console via MSFT_MpComputerStatus — that the author explicitly withheld. Without it: noisy update errors. With it: silent indefinite detection window. BlueHammer patched Tuesday. RedSun unpatched. UnDefend has no CVE. submitted by /u/TakesThisSeriously [link] [comments]Technical Information Security Content & DiscussionRead More