THREAT actors have increasingly weaponised the BYOVD technique to disable security products by exploiting Windows drivers, sometimes dropping a kernel-level payload to terminate security processes before deploying ransomware, infostealers or backdoors, according to Dark Reading. The article notes that ransomware groups have been among those adopting BYOVD, and highlights a recent case where a driver for EnCase had a certificate expired in 2010 and was revoked, underscoring a large loophole in Windows protections.
It explains that Windows loads drivers at boot with limited ability to check certificate revocation lists, while Microsoft has built-in measures such as Driver Signature Enforcement and a Vulnerable Driver Blocklist, introduced after Windows 11 2022, though these controls can still be bypassed by legacy cross-signed drivers.
The piece also points out that the blocklist is updated only infrequently, allowing newer BYOVD variants to slip through for months, and discusses the tension between blocking drivers and preserving compatibility for legacy or critical systems. According to Microsoft, the company evaluates impact and applies fixes and layered protections through Defender when vulnerable drivers are detected.
The article suggests that more proactive measures and real-time, cloud-like updates could narrow the window of opportunity, while acknowledging that the problem may worsen before alternative strategies are fully realised. It concludes by advocating a layered security approach, including tailored detection for BYOVD indicators and heightened collaboration among vendors and end users, with Part 2 promised next week.