When Hackers Can Turn Off Defender: Why Endpoint Isolation Matters

In August 2025, Fox News broke a chilling story: hackers discovered a way to remotely disable Microsoft Defender by abusing an Intel CPU driver. Fox News

This isn’t just another “cyber-threat of the month.” It demonstrates a profound shift in attacker tactics—and a major wake-up call for businesses relying on traditional security models of “detect and respond.”

Here’s what happened, what it means, and why now is the time for every business to adopt a stronger posture with AppGuard.

The Attack: How Akira ransomware turned off Defender

According to the Fox News article, the Akira ransomware gang exploited a legitimate Intel CPU tuning driver (rwdrv.sys, from the common utility ThrottleStop) to gain kernel-level access. 

Once inside, they loaded a second malicious driver (hlpdrv.sys) and manipulated Windows’ registry to disable Defender, by altering the DisableAntiSpyware setting.

Because the exploited driver was “legitimate,” Windows trusted it. And in effect, the attackers used that trust to strip away the very security defenses meant to protect the system—before unleashing malicious payloads. 

In short: they subverted the system from within. Traditional AV/EDR tools—designed to detect malicious behaviors or respond after compromise—are powerless if the defenders themselves are neutralized.

Why “Detect & Respond” is no longer enough

For many organizations, the prevailing security strategy is:

1. Deploy antivirus, endpoint detection & response (EDR), threat intelligence, logging.

2. Monitor, detect anomalies, alert, investigate.

3. Respond to incidents (quarantine, remove, remediate).

This approach assumes defenses remain functional, that attacks leave detectable traces, and that the window between detection and response is manageable.

But the Akira exploit shows a serious flaw:

• Attackers can use trusted components (signed drivers) that evade detection.

• They can disable the very tools meant to detect and respond.

• The window for response shrinks—or vanishes altogether.

When your security tools can be turned off, detection and response are moot.

A new paradigm: Isolation & Containment

To stay ahead of threats like this, businesses must adopt a different strategy: isolation and containment.

Rather than waiting for an attack to be detected, the idea is to prevent attacker code from interacting with critical resources in the first place. If even a high-privilege exploit executes, it’s confined—sandboxed, isolated, or blocked from causing damage.

Effective isolation solutions don’t rely entirely on detection. They proactively constrain what each process and component can do. Even if an attacker gains kernel access, their ability to turn off defenses, tamper with the system, or spread laterally is severely limited.

Why AppGuard is the right solution

For over 10 years, AppGuard has been proven in hardened environments (e.g. government, high security) as a tool that enforces least privilege at runtime and application isolation, protecting endpoints from misuse—even when attackers bypass traditional controls.

Key strengths of AppGuard:

• Zero-trust execution: It blocks unknown or unauthorized actions, regardless of whether they look “malicious.”

• Memory and kernel protection: It prevents code or driver modifications in sensitive memory areas, stopping exploits like the Intel driver trick in their tracks.

• Containment-first mindset: Even if an attacker bypasses detection, AppGuard limits the damage they can do.

• Track record: A decade of real-world usage, now adapted for commercial organizations (not just high-security agencies).

• Minimal alerts/false positives: Because it enforces policies at a granular level, there is less noise compared to detect-and-alert systems.

In light of the Akira exploit, solutions like AppGuard exactly address the fundamental weakness: the defender can’t be allowed to be disabled.

What business leaders must do now

1. Reassess your endpoint strategy: If you rely only on AV, EDR, or logging, realize that those tools can be subverted.

2. Adopt containment-first tools: Move from “detect & respond” to “isolation & containment.”

3. Pilot AppGuard in a critical segment: Test on high-risk systems or departments, measure the reduction in exposure.

4. Train security teams: Teach them how to manage and tune containment policies without impeding usability.

5. Measure success differently: Instead of counting alerts or incidents caught, measure how many exploits could not reach critical assets—even when detection fails.

Conclusion

The Fox News story about hackers turning off Microsoft Defender via a trusted Intel driver exploit is not just alarming—it’s a turning point. Fox News

Businesses cannot rely solely on detection and response when attackers can disable defenses themselves. The evolving threat landscape demands a shift toward security built on isolation and containment.

AppGuard has been doing exactly that for more than a decade. Now it’s time for commercial organizations to adopt it. If your business needs to safeguard endpoints against even the most sophisticated attack, you cannot wait.

Call to Action:

Business owners: talk with us at CHIPS. Let us show you how AppGuard can prevent incidents like this—with containment that stops attacks from ever reaching your crown jewels. Don’t wait for your defender to be turned off—move now from Detect & Respond to full Isolation & Containment.