BYOVD (Vulnerable Driver) × Avast Anti-Rootkit driver (aswarpot.bin)

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Avast Anti-Rootkit driver (aswarpot.bin), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Avast Anti-Rootkit driver (aswarpot.bin)

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-09-21

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-09-21 · original source · via exa

Reported as

uses the driver's kernel-level access to terminate processes belonging to security products, defeating user-mode protection

Mechanism

BYOVD: writes a known vulnerable Avast driver to disk, creates a service to load it, then uses the driver's kernel-level access to terminate processes belonging to security products, defeating user-mode protection.

Detection & mitigation

Monitor for the creation of services with unusual driver paths (e.g., in temporary or user-writable directories) and the loading of known vulnerable drivers by hash or signature. Mitigation: enforce driver block rules via WDAC or vulnerable driver blocklist, and restrict SeLoadDriverPrivilege to authorized users only.

BYOVD (Vulnerable Driver) has also been recorded against

Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet F-Secure

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.