Attackers are increasingly abusing trusted Windows drivers to turn off antivirus (AV) and endpoint detection and response (EDR) tools, using a technique known as Bring Your Own Vulnerable Driver (BYOVD).
Once considered niche, BYOVD has rapidly become a standard component of modern ransomware campaigns, enabling threat actors to operate at the highest privilege level in Windows environments.
Security researchers highlight that defense evasion is now a critical phase in cyber intrusions. Rather than avoiding detection, attackers are directly targeting and turning off security controls.
BYOVD enables this by exploiting legitimate, digitally signed drivers that contain known vulnerabilities. Because Windows trusts these drivers, they can be loaded without raising alarms.
Windows Drivers Kill AV and EDR
Windows operates using two privilege levels: user mode and kernel mode. While user mode restricts applications, kernel mode provides near-complete control over the system. By leveraging a vulnerable driver, attackers can execute malicious actions in kernel mode.
For example, after gaining administrative access, an attacker can install a signed but flawed driver and send it crafted commands to exploit its weaknesses. The most common outcome is the termination of AV or EDR processes.
In other cases, attackers may silently degrade security tools by stripping permissions or modifying kernel structures so that monitoring systems no longer receive alerts. This effectively blinds defenses while keeping them appearing operational.
BYOVD has become highly accessible. Hundreds of vulnerable drivers are publicly documented, and new ones continue to emerge.

Open-source and underground tools such as TrueSightKiller, GhostDriver, and AuKill automate the process of abusing these drivers to terminate security processes.
Some ransomware groups now integrate BYOVD capabilities directly into their payloads, reducing the need for separate tooling.
Although BYOVD dominates, attackers also use alternative methods. Windows includes a protection mechanism called Protected Process Light (PPL) that prevents tampering with security services.
However, attackers can bypass this by suspending protected processes instead of terminating them. A suspended security tool stops functioning but appears to be running normally, preventing automatic recovery.
Another technique involves exploiting Windows trust hierarchies. If attackers gain control of a higher-trust process, they can manipulate or terminate lower-trust security services.
Some campaigns also disrupt communication between endpoint agents and cloud-based intelligence services, weakening detection without altering the local agent.

Microsoft has introduced several kernel hardening features, including Kernel Address Space Layout Randomization (KASLR), Hypervisor-Protected Code Integrity (HVCI), and Kernel Control Flow Guard (KCFG).
While these mitigate certain attack classes, they do not effectively stop BYOVD. The reason is that attackers are not injecting new kernel code but modifying existing data structures, an approach that bypasses many protections.
According to Security.com, Microsoft does not consider administrator-to-kernel escalation a strict security boundary. As a result, many BYOVD techniques are not treated as vulnerabilities and may not receive immediate patches or CVE assignments.
Defensive efforts, such as Microsoft’s vulnerable driver blocklist and signature-based detection, provide only limited protection.
Blocklists often lag behind newly discovered drivers, and attackers can quickly switch to alternative drivers or modify tools to evade detection.
A more effective approach is behavioral monitoring. Instead of focusing on known malicious drivers, security solutions are beginning to analyze how drivers are used.
For instance, detecting unusual input/output control (IOCTL) requests, such as commands that attempt to terminate security processes, can reveal BYOVD activity regardless of the specific driver involved.
For example, if a newly dropped driver suddenly issues commands to kill multiple security services, behavioral systems can flag this anomaly even if the driver itself is previously unknown.
As BYOVD continues to evolve, defenders are shifting toward proactive detection strategies. Monitoring driver behavior rather than relying solely on signatures may help close the gap and limit attackers’ ability to turn off critical security controls.