UnDefend: Chaotic Eclipse's Third Defender Zero-Day Exploit Blocks Microsoft Defender Updates

💬 UnDefend: Chaotic Eclipse's third Defender zero-day blocks all signature updates from a standard user — no admin required. The exploit uses four independent locking mechanisms to prevent Microsoft Defender updates: monitoring the Definition Updates directory with ReadDirectoryChangesW, enforcing FILE_SHARE_WRITE without FILE_SHARE_READ to trigger STATUS_SHARING_VIOLATION errors, exclusively locking backup files, and intercepting service restarts via NotifyServiceStatusChangeW. It also separately targets the Malicious Software Removal Tool (MRT) through MRTWorkerThread. The author notes a fifth undisclosed mechanism that manipulates MSFT_MpComputerStatus to hide update failures from EDR consoles. While BlueHammer was patched, RedSun remains unpatched, and UnDefend has no assigned CVE.