{"id":37983,"date":"2025-08-05T09:20:08","date_gmt":"2025-08-05T13:20:08","guid":{"rendered":"https:\/\/www.eginnovations.com\/blog\/?p=37983"},"modified":"2025-08-05T09:20:08","modified_gmt":"2025-08-05T13:20:08","slug":"new-feature-vulnerable-system-drivers-monitoring","status":"publish","type":"post","link":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/","title":{"rendered":"New Feature &#8211; Vulnerable System Drivers Monitoring"},"content":{"rendered":"<div class=\"inner_content\">\n<p>Vulnerable system drivers continue to be a vector exploited by attackers to compromise systems. In eG Enterprise version 7.5 we added a number of periodic security checks to assist administrators proactively identify weaknesses, including vulnerable system drivers monitoring.This new capability is supported for a Windows OS, when using a VM agent for inside view monitoring and \/ or when monitoring an <a href=\"https:\/\/www.eginnovations.com\/supported-technologies\/azure-virtual-desktop-monitoring-avd\">Azure Virtual Desktop<\/a> session host. The same eG agent that is used for performance monitoring also performs certain security checks at periodic intervals.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Understanding_Windows_System_Drivers_Vulnerabilities_-_Some_Recent_Attacks\"><\/span>Understanding Windows System Drivers Vulnerabilities \u2013 Some Recent Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Windows system driver vulnerabilities are particularly dangerous because drivers operate at the kernel level, with the highest system privileges. Exploiting these flaws allows attackers to bypass user-mode security, disable antivirus software, and gain deep, persistent access to the operating system.<\/p>\n<p>Unlike user applications, drivers can manipulate memory directly, making detection and remediation more complex. Additionally, many drivers are signed and trusted by Windows, allowing them to run without raising security flags. This trust is often abused in Bring Your Own Vulnerable Driver (BYOVD) attacks, where outdated or flawed drivers become the gateway for full system compromise and stealthy malware deployment.<\/p>\n<div style=\"padding: 20px; border: 1px solid #ffd392; background: #fcf8ef; text-align: justify; margin-bottom: 30px;\">\n<p style=\"margin-bottom: 15px;\"><strong>What is Bring Your Own Vulnerable Driver (BYOVD)?<\/strong><\/p>\n<p style=\"margin-bottom: 15px;\">Bring Your Own Vulnerable Driver (BYOVD) is a cyberattack technique whereby an attacker:<\/p>\n<ul>\n<li>Deliberately installs a legitimate, but known-vulnerable kernel driver (often signed and trusted by Windows),<\/li>\n<li>Then exploits its weaknesses to execute malicious code with kernel or SYSTEM-level privileges.<\/li>\n<\/ul>\n<p style=\"margin-bottom: 15px;\">Why It Works:<\/p>\n<ul style=\"margin-bottom: 5px;\">\n<li>Many vulnerable drivers are digitally signed, so Windows permits them\u2014even if they have flaws.<\/li>\n<li>Once loaded, these drivers give can attackers deep access to the OS kernel, bypassing user-mode defenses, security tools, or even EDRs.<\/li>\n<\/ul>\n<\/div>\n<p>An insightful way to gain knowledge about the attack vectors and threats around system drivers and their vulnerability is to read the postmortem-like reviews widely available from recent incidents. Here are three typical examples.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Example_1_CVE_2024_38193_AFDsys_-_Lazarus_Group_Rootkit\"><\/span>Example 1. CVE 2024 38193 (AFD.sys) \u2013 Lazarus Group Rootkit<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A North Korean threat actor exploited an unknown (zero-day) in the Windows Ancillary Function Driver (AFD.sys) allowing kernel level privilege escalation. They deployed a stealthy rootkit (\u201cFudModule\u201d), achieving SYSTEM access and disabling security tools via a fileless attack using in built drivers. Read the details: <a class=\"link\" href=\"https:\/\/blog.barracuda.com\/2024\/08\/26\/cybersecurity-threat-advisory--exploited-microsoft-zero-day-flaw\" target=\"blank\">Cybersecurity Threat Advisory: Exploited Microsoft zero-day flaw | Barracuda Networks Blog<\/a>.<\/p>\n<p>The attack was particularly dangerous because the AFD.sys driver is a core component of Windows. Its exploitation did not require the introduction of additional drivers and went beyond a typical BYOVD approach.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Example_2_ZoneAlarm_Driver_vsdatantsys_-_BYOVD_Exploit\"><\/span>Example 2. ZoneAlarm Driver (vsdatant.sys) \u2013 BYOVD Exploit<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Attackers abused vulnerabilities in the CheckPoint ZoneAlarm kernel driver (vsdatant.sys) to bypass Windows Memory Integrity protections, escalate privileges, disable endpoint security, and exfiltrate credentials. The driver was signed, trusted, and thus remained undetected. Read the details: <a class=\"link\" href=\"https:\/\/venaksecurity.com\/2025\/03\/20\/cybercriminals-exploit-checkpoints-driver-in-a-byovd-attack\/\" target=\"blank\">Cybercriminals Exploit Checkpoint\u2019s Driver in a BYOVD Attack! \u2013 Venak Security<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Example_3_Paragon_Driver_BioNTdrvsys_-_Ransomware_Escalation\"><\/span>Example 3. Paragon Driver (BioNTdrv.sys) \u2013 Ransomware Escalation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Ransomware actors exploited multiple vulnerabilities in the Microsoft signed Paragon Partition Manager driver (BioNTdrv.sys), including CVE 2025 0289, to escalate privileges and execute kernel level commands. Patching and Microsoft blocklisting were advised to prevent ongoing attacks and Paragon have addressed the issue in newer versions of the drivers. See this review from March 2025 for further details: <a class=\"link\" href=\"https:\/\/thehackernews.com\/2025\/03\/hackers-exploit-paragon-partition.html\" target=\"blank\">Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_You_Can_Protect_Yourself_from_System_Drivers_Vulnerabilities_on_Windows_OSs\"><\/span>How You Can Protect Yourself from System Drivers Vulnerabilities on Windows OSs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>One of the most important steps you can take is to follow the Microsoft recommended driver block rules \u2013 see <a class=\"link\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/app-control-for-business\/design\/microsoft-recommended-driver-block-rules\" target=\"blank\">Microsoft recommended driver block rules | Microsoft Learn<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_eG_Enterprise_Monitors_System_Driver_Vulnerabilities_on_Windows_OSs\"><\/span>How eG Enterprise Monitors System Driver Vulnerabilities on Windows OSs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>eG Enterprise retrieves a list of vulnerable and then compares the drivers available locally with the vulnerable list. The vulnerable drivers list is periodically retrieved by the eG manager and then distributed to the agents. This requires the eG manager to have Internet access and to be able to access the reference list.<\/p>\n<p>Out-of-the-box eG Enterprise v7.5 provides proactive alerts if a driver vulnerability is identified.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-38026 size-full\" src=\"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/07\/Vulnerable-System.jpg\" alt=\"Image showing eG Enterprise raising an alert because vulnerable system drivers have been detected on a Windows OS, detailed diagnostics of the drivers are also shown including the system drivrs found and their file paths\" width=\"600\" height=\"432\" srcset=\"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/07\/Vulnerable-System.jpg 600w, https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/07\/Vulnerable-System-300x216.jpg 300w, https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/07\/Vulnerable-System-310x223.jpg 310w, https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/07\/Vulnerable-System-140x101.jpg 140w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>This capability is supported for a Windows OS, when using a VM agent for inside view monitoring and when monitoring an Azure Virtual Desktop (AVD) session host.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerable system drivers continue to be a vector exploited by attackers to compromise systems. In eG Enterprise version 7.5 we added a number of periodic security checks to assist administrators proactively identify weaknesses, including vulnerable system drivers monitoring.This new capability is supported for a Windows OS, when using a VM agent for inside view monitoring [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":38092,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_lmt_disableupdate":"yes","_lmt_disable":"","footnotes":""},"categories":[409,366],"tags":[567,165,166,232,2362,294,1111],"class_list":["post-37983","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eg-enterprise","category-end-to-end-monitoring-e2e","tag-azure-virtual-desktops","tag-it-security-and-compliance","tag-it-security-audit","tag-security-and-compliance","tag-vulnerable-system-drivers","tag-windows-monitoring","tag-windows-uptime"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Feature - Vulnerable System Drivers Monitoring | eG Innovations<\/title>\n<meta name=\"description\" content=\"Learn about eG Enterprise version 7.5 support for proactive monitoring for Vulnerable System Drivers on Windows OSs including AVD\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Feature - Vulnerable System Drivers Monitoring | eG Innovations\" \/>\n<meta property=\"og:description\" content=\"Learn about eG Enterprise version 7.5 support for proactive monitoring for Vulnerable System Drivers on Windows OSs including AVD\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/\" \/>\n<meta property=\"og:site_name\" content=\"eG Innovations\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/eGInnovations\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-05T13:20:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/08\/Vulnerable-system-drivers-Social-Banner.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Babu Sundaram\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/virtualinfra76?lang=en\" \/>\n<meta name=\"twitter:site\" content=\"@eginnovations\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Babu Sundaram\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Feature - Vulnerable System Drivers Monitoring | eG Innovations","description":"Learn about eG Enterprise version 7.5 support for proactive monitoring for Vulnerable System Drivers on Windows OSs including AVD","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/","og_locale":"en_US","og_type":"article","og_title":"New Feature - Vulnerable System Drivers Monitoring | eG Innovations","og_description":"Learn about eG Enterprise version 7.5 support for proactive monitoring for Vulnerable System Drivers on Windows OSs including AVD","og_url":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/","og_site_name":"eG Innovations","article_publisher":"https:\/\/www.facebook.com\/eGInnovations","article_published_time":"2025-08-05T13:20:08+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/08\/Vulnerable-system-drivers-Social-Banner.png","type":"image\/png"}],"author":"Babu Sundaram","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/virtualinfra76?lang=en","twitter_site":"@eginnovations","twitter_misc":{"Written by":"Babu Sundaram","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#article","isPartOf":{"@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/"},"author":{"name":"Babu Sundaram","@id":"https:\/\/www.eginnovations.com\/blog\/#\/schema\/person\/5f7590f77be55ecf13f1b8d915ac39df"},"headline":"New Feature &#8211; Vulnerable System Drivers Monitoring","datePublished":"2025-08-05T13:20:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/"},"wordCount":683,"publisher":{"@id":"https:\/\/www.eginnovations.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#primaryimage"},"thumbnailUrl":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/08\/Vulnerable-system-drivers-Thumbanil-banner.png","keywords":["Azure Virtual Desktops","IT Security and Compliance","IT Security Audit","Security and Compliance","Vulnerable System Drivers","windows monitoring","windows uptime"],"articleSection":["eG Enterprise","End-to-End Monitoring (E2E)"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/","url":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/","name":"New Feature - Vulnerable System Drivers Monitoring | eG Innovations","isPartOf":{"@id":"https:\/\/www.eginnovations.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#primaryimage"},"image":{"@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#primaryimage"},"thumbnailUrl":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/08\/Vulnerable-system-drivers-Thumbanil-banner.png","datePublished":"2025-08-05T13:20:08+00:00","description":"Learn about eG Enterprise version 7.5 support for proactive monitoring for Vulnerable System Drivers on Windows OSs including AVD","breadcrumb":{"@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#primaryimage","url":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/08\/Vulnerable-system-drivers-Thumbanil-banner.png","contentUrl":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2025\/08\/Vulnerable-system-drivers-Thumbanil-banner.png","width":362,"height":235},{"@type":"BreadcrumbList","@id":"https:\/\/www.eginnovations.com\/blog\/new-feature-vulnerable-system-drivers-monitoring\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.eginnovations.com\/blog\/"},{"@type":"ListItem","position":2,"name":"New Feature &#8211; Vulnerable System Drivers Monitoring"}]},{"@type":"WebSite","@id":"https:\/\/www.eginnovations.com\/blog\/#website","url":"https:\/\/www.eginnovations.com\/blog\/","name":"eG Innovations","description":"IT Performance Monitoring Insights","publisher":{"@id":"https:\/\/www.eginnovations.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.eginnovations.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.eginnovations.com\/blog\/#organization","name":"eG Innovations","alternateName":"eg innovations","url":"https:\/\/www.eginnovations.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eginnovations.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2014\/07\/eg-logo-dark-gray1_new.jpg","contentUrl":"https:\/\/www.eginnovations.com\/blog\/wp-content\/uploads\/2014\/07\/eg-logo-dark-gray1_new.jpg","width":362,"height":235,"caption":"eG Innovations"},"image":{"@id":"https:\/\/www.eginnovations.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/eGInnovations","https:\/\/x.com\/eginnovations"]},{"@type":"Person","@id":"https:\/\/www.eginnovations.com\/blog\/#\/schema\/person\/5f7590f77be55ecf13f1b8d915ac39df","name":"Babu Sundaram","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eginnovations.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d28fef01834f3b388d7d825216013937?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d28fef01834f3b388d7d825216013937?s=96&d=mm&r=g","caption":"Babu Sundaram"},"sameAs":["https:\/\/x.com\/https:\/\/twitter.com\/virtualinfra76?lang=en"],"url":"https:\/\/www.eginnovations.com\/blog\/author\/babusundaram\/"}]}},"modified_by":"eG Innovations","_links":{"self":[{"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/posts\/37983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/comments?post=37983"}],"version-history":[{"count":1,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/posts\/37983\/revisions"}],"predecessor-version":[{"id":39267,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/posts\/37983\/revisions\/39267"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/media\/38092"}],"wp:attachment":[{"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/media?parent=37983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/categories?post=37983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.eginnovations.com\/blog\/wp-json\/wp\/v2\/tags?post=37983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}