Particle.news
Get it on Google Play
Download on the App Store
3 ARTICLES
·
3w ago

EDR Killer Abuses Revoked EnCase Driver to Disable 59 Security Tools

Windows acceptance of a pre‑2015 signature lets the kernel‑mode driver bypass user‑mode protections.

Overview

  • Huntress observed the tool in a live intrusion after attackers authenticated to a SonicWall SSL VPN with stolen credentials and no MFA.
  • The malware embeds the EnPortv.sys EnCase driver and installs it as a kernel service that impersonates an OEM component to survive reboots.
  • Through the driver's IOCTL interface, user‑mode code issues kernel‑level kills that defeat safeguards such as Protected Process Light.
  • A one‑second loop targets 59 EDR and antivirus processes and immediately terminates any that relaunch; the operation was interrupted before ransomware deployment.
  • The driver loads due to Windows' timestamp‑based validation and pre‑2015 exception plus a reactive blocklist; recommended defenses include enforcing MFA, enabling Memory Integrity, applying WDAC/ASR rules, and monitoring VPN and service activity.