explaingit

the-snek-initiative/snek_equinox

27C++Audience · researcherComplexity · 4/5Setup · hard

TLDR

A proof-of-concept C++ project exploring a theoretical technique to make Windows Defender show a healthy protected status while its protection is actually disabled. Security research only, the authors have not tested whether it works.

Mindmap

mindmap
  root((snek_equinox))
    What it does
      Defender status spoof
      Signature file lock
      Registry manipulation
    Privilege Levels
      Without admin
      With admin
    Research Context
      Race condition
      Untested concept
      Peer feedback sought
    Tech Stack
      C++
      Windows only
    Audience
      Security researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Study the code to understand a theoretical race condition in Windows Defender's signature update mechanism as a security research exercise.

USE CASE 2

Test whether the described technique for making Defender report a healthy status while disabled actually works in a controlled lab environment.

Tech stack

C++

Getting it running

Difficulty · hard Time to first run · 1day+

Requires a manual Windows build, no pre-compiled binary is provided and the technique is described as untested by the authors.

No license information is mentioned in the explanation.

In plain English

SNEK Equinox is a proof-of-concept C++ project that claims to demonstrate a technique for making Windows Defender's security console display a healthy, protected status even when the underlying protection is disabled. The author describes it as inspired by a finding shared by another researcher, who chose not to publish their version due to potential for misuse. The approach described involves two layers. Without administrator privileges, the program attempts to lock Windows Defender's signature files so they cannot be loaded, causing local threat detection to stop working while the system may still appear protected based on a cached state. With administrator privileges, additional steps manipulate registry values that Defender uses to report its health status before locking the signature files. The README explicitly states that neither the author nor their associates have tested whether this actually works, and they describe it as a theoretical demonstration of a race condition in the signature update mechanism. They are seeking feedback on whether it functions as described. This is a security research project dealing with endpoint protection evasion techniques. The code is not pre-compiled and requires a manual build step on Windows. The repository does not document the full internals and leaves significant detail for readers to work out themselves.

Copy-paste prompts

Prompt 1
Walk me through how snek_equinox attempts to lock Windows Defender's signature files to prevent local threat detection from loading, step by step.
Prompt 2
How do I build the snek_equinox C++ project on Windows? What compiler toolchain and build commands are required?
Prompt 3
What specific registry values does snek_equinox manipulate to alter Windows Defender's health reporting, and why does that step require administrator privileges?
Open on GitHub → Explain another repo

← the-snek-initiative on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.