720-891-1663

Alerts, Best Practices, Microsoft, Safety, Security Practices

Do You Know What an EDR Killer Is?

Leave a comment

EDR or Endpoint Detection and Response is what should have replaced the anti-virus software on your computer years ago. You can think of it as AV on steroids, without all the steroid side effects.

Microsoft being Microsoft, they had to do stupid things to allow this hack to work. They never want to intentionally break backward compatibility. They reserve that to breaking things unintentionally.

The general technique is called BYOVD or Bring Your Own VULNERABLE Device driver. It is well known and Microsoft continues to try to knee cap its effectiveness while still allowing old, poorly written, non-secure software to work. Thanks Microsoft.

In this case, hackers broke into a system using a combination of a bug in the SonicWall VPN (since patched) and poor hygiene on the part of the victim company.

Then they installed a known, signed, vulnerable device driver from the forensics tool Encase. Once they did all this they used the vulnerability to get Windows to start shutting down security tools. It now works to shut down almost 60 tools.

SOOOOO, if this driver is vulnerable, why does the driver run. Here is were Microsoft took a stupid pill.

Initially, they revoked the code signing certificate. But as all security folks know, certification revocation is another word for dumpster fire and doesn’t work anywhere. That includes Windows – which no longer even tries to look at revocation lists.

So then Microsoft added a requirement in Windows 10 (build 1607 and later) that requires kernel drivers to be signed via the Hardware Dev Center. In theory that should have killed this driver from loading.

But now that that stupid pill is firmly in Microsoft’s system, they made an exception for drivers signed before July 29, 2015. More than 10 years ago. Maybe if your software is that old, you need to find different software. Maybe.

Of course, this driver was signed in 2006 and expired on its own in 2010 (but of course Microsoft doesn’t test that).

Now that the driver is loaded, it tells Windows that it is a (fake) OEM hardware device. Since on the Internet, no one knows you are a dog and on Windows, no one knows if you are an OEM HW driver, Microsoft says sure, go for it.

This malware not only kills these 59 security processes, but it also runs every second just in case the software has the nerve to restart itself.

The problem for Microsoft is that if it starts enforcing rules now that it never enforced before, they WILL, guaranteed, break stuff because devs think it is cool to use undocumented hacks to do stuff they want to do.

Personally, I think Microsoft needs to break a lot of poorly written software so that developers will get the message. Systems would be a lot more secure if they did that. But they won’t. It is not in their DNA. One minor problem with that strategy. Most of the poorly written software was written by Microsoft and is part of Windows and Windows Apps. 🙂

Credit: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 CyberCecurity, All rights reserved. Privacy Policy