Index / BYOVD (Vulnerable Driver) / Microsoft
Bypass Record

BYOVD (Vulnerable Driver) × Microsoft Windows Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
Microsoft Windows Defender
Technique
BYOVD (Vulnerable Driver)
MITRE ATT&CK
T1562.001
Confidence
High
Severity
High
Status
in the wild
Disclosed
2023-05-31
Config / version noted
Not stated

Provenance

Reported as

terminate security software user-mode processes... defeats AV/EDR/XDR by killing their processes

Mechanism

Terminator drops a signed Zemana kernel driver (zamguard64.sys or zam64.sys) into System32 with a random name, then loads it to exploit kernel privileges to terminate user-mode processes of security products. This defeats AV/EDR/XDR by killing their processes.

Detection & mitigation

Monitor for loading of known vulnerable drivers (e.g., Zemana zamguard64.sys/zam64.sys) via Sysmon Event ID 6 (driver load) or EDR telemetry; blocklist vulnerable driver hashes/signatures using Windows Defender Application Control (WDAC) or vendor-specific driver block rules.

BYOVD (Vulnerable Driver) has also been recorded against

AvastBaiduBattlEyeBitdefenderCarbon BlackCortexCrowdStrikeCylanceEasy Anti-CheatEasyAntiCheatElasticFortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.