Decade-Old EnCase Driver Still Defeats Modern EDR

A newly identified malware strain is demonstrating a dangerous ability to disable dozens of modern endpoint detection and response (EDR) solutions. This is achieved by exploiting a legitimate but outdated kernel driver from a decade-old version of the EnCase forensics software. Despite its certificate being revoked over ten years ago, the Windows operating system continues to permit this driver to load, providing attackers with a powerful tool to undermine security.

Security analysts at Huntress recently observed this attack in action. The threat actors first gained entry to a corporate network by logging into a SonicWall SSL VPN with stolen credentials. After conducting internal reconnaissance, they deployed the so-called “EDR killer” malware. This package contains the vulnerable EnCase driver, concealed using a custom encoding method to evade initial detection.

Once decoded, the malware strategically places the driver file on disk, disguising it to resemble a genuine OEM system component. It copies timestamps from real files to enhance its camouflage and registers itself as a kernel service to ensure persistence across system reboots. The driver then exposes an interface that allows user-mode processes to terminate any running process directly from the kernel level. This method bypasses critical protections like Protected Process Light (PPL), which is designed to safeguard essential system and security agent processes.

This incident is a stark example of the Bring Your Own Vulnerable Driver (BYOVD) attack technique. Instead of crafting a malicious driver, attackers leverage a legitimate one with known flaws to gain deep system access. Once the vulnerable driver is running in the kernel, its exposed functions can be abused to kill security software, disable defenses, or manipulate memory directly.

While the security community has been aware of BYOVD threats for years, preventing them comprehensively remains a significant challenge. Windows employs Driver Signature Enforcement (DSE) to block unsigned or tampered drivers, but the system kernel does not perform checks against Certificate Revocation Lists (CRLs). This design choice is largely for practical performance reasons, as drivers load early in the boot process before network connectivity is established. Even if a revocation list is manually imported, the kernel bypasses this check entirely.

Microsoft’s primary countermeasure is the Vulnerable Driver Blocklist, a dynamically updated catalog of known-bad drivers. However, this reactive approach has a clear weakness: it only blocks drivers after they have been identified and added, leaving a window of opportunity for attackers. Furthermore, Microsoft maintains exceptions for backward compatibility. Drivers signed with certificates issued before a July 2015 cutoff date are still allowed to load if they chain to a supported authority. The EnCase driver’s certificate, issued in 2006, easily falls under this grandfather clause.

In the case investigated by Huntress, the attackers’ likely objective was to deploy ransomware, but their preparations were interrupted. To defend against such threats, organizations are advised to implement multi-factor authentication on all remote access services and routinely audit VPN logs for anomalies. On the endpoint, enabling Memory Integrity ensures the Vulnerable Driver Blocklist is enforced. Security teams should also monitor for suspicious services masquerading as hardware components and utilize tools like Windows Defender Application Control alongside Attack Surface Reduction rules to prevent known vulnerable drivers from being loaded and exploited.

(Source: HelpNet Security)