If they want to do research they probably prefer no AV. That said there are some no-op AV's that are specifically for tricking defender to shut off and not actually do anything

I was just wondering if a no-op AV might work! But I thought perhaps not, as I thought Microsoft insisted on AVs running as PP/PPL (Protected Process / Protected Process Light), which isn't realistic for OSS.

Are you able to point to one please? Would love to try it and see if it works!

Isn't this what this post is about?

Ach, I think you're right, that looks to be what they're doing.

Yes. Current versions of Defender won’t disable scanning even if another anti virus is installed. At most, it will stop reporting infections. The CPU overhead however cannot be avoided by normal means.

Microsoft Dev Drive exists purely as a workaround to this self-imposed problem.