EDR Killer Tool Abuses Signed Kernel Driver to Disable Endpoint Security
Feb 6, 2026
Threat actors are increasingly leveraging a custom EDR killer tool that exploits a signed but long-revoked kernel driver originally from forensic software to bypass and disable endpoint detection and response (EDR) and antivirus tools.
Key Takeaways
Category | Details |
|---|---|
Threat Type | EDR Killer / Security Evasion Tool |
Attack Technique | BYOVD (Bring Your Own Vulnerable Driver) |
Abused Component | Signed but revoked EnCase forensic kernel driver ( |
Privilege Level | Kernel-level (Ring 0) |
Primary Impact | Disables EDR and antivirus protections |
Affected Defenses | 59 EDR and AV processes targeted |
Persistence Method | Driver installed as fake OEM hardware service |
Initial Access Vector | Compromised SonicWall VPN credentials |
Key Weakness Exploited | Lack of MFA on VPN access |
Detection Challenges | Uses legitimate signed driver to bypass security checks |
Recommended Mitigations | Enforce MFA, enable HVCI/Memory Integrity, WDAC, ASR rules |
What Happened?
Security researchers at Huntress recently uncovered a custom EDR killer utility deployed during an intrusion event that was responsible for disabling multiple security tools on compromised Windows systems.
Instead of relying on unsigned or outright malicious drivers, this threat uniquely embeds a legitimate kernel driver from EnCase — a digital forensics tool used by law enforcement — which had been signed over a decade ago but whose certificate expired and was later revoked.
Despite being revoked, Windows still accepts the driver due to the way Driver Signature Enforcement validates signatures based on cryptographic hash and timestamp, rather than actively checking Certificate Revocation Lists (CRLs).
The driver (EnPortv.sys) is then registered as a fake OEM hardware service, providing reboot-persistent kernel access and enabling the malware to interact with kernel APIs.
How the EDR Killer Works
The malicious tool operates by abusing this signed driver’s kernel-mode IOCTL interface to terminate running security services and processes, effectively crippling EDR, antivirus (AV), and related defenses:
The EDR killer continuously scans for 59 distinct security related processes and forcibly terminates them.
By using kernel-level access, it bypasses protections like Protected Process Light (PPL) which are designed to protect critical processes from termination.
The termination loop runs every second, ensuring that even if tools restart, the malware will immediately disable them again.
This method gives threat actors a significant visibility and control advantage on the compromised host, effectively creating a blind spot in endpoint defenses that can be leveraged for ransomware deployment or other malicious activity.
How Attackers Gained Access
In the incident observed by Huntress:
The adversary used compromised SonicWall SSL VPN credentials to access the corporate environment.
Lack of multi-factor authentication (MFA) on the VPN account facilitated unauthorized access.
After gaining foothold, the attackers conducted internal reconnaissance and deployed the EDR killer disguised as a legitimate firmware update utility.
While the final payload (e.g., ransomware) was interrupted in this case, the presence of such a tool underscores the severe threat posed by driver-based EDR bypass techniques.
Defense Strategies
To mitigate similar attacks, security teams should consider the following controls:
Mandatory Multi-Factor Authentication (MFA) for all remote access solutions — particularly VPNs.
Monitor VPN logs and anomalous authentication attempts indicative of compromised credentials.
Enable HVCI / Memory Integrity to enforce Microsoft’s vulnerable driver blocklist.
Deploy Windows Defender Application Control (WDAC) and Attack Surface Reduction (ASR) rules to block or restrict vulnerable signed drivers.
Investigate and alert on unexpected kernel services masquerading as OEM or hardware components.
These strategies help reduce the risk of malicious driver leveraging and strengthen overall endpoint resilience.
Bottom Line
This emerging EDR killer threat exemplifies how adversaries are increasingly abusing legitimate system components to evade detection and disable security defenses. Even drivers signed and issued by trusted vendors — if outdated or revoked — can become potent tools for attackers when misused.
Staying ahead of such threats requires a combination of strict access controls, proactive monitoring, and kernel-level defense hardening measures.
Summary: Microsoft Teams’ new Report a Call feature gives users a way to flag suspicious calls as potential scams or phishing attempts, empowering organizations to spot and respond to emerging threats. Rolling out from mid-March 2026, this addition enhances voice-based threat visibility and strengthens overall Teams security posture.
