Driver of destruction: How a legitimate driver is being used to take down AV processes securelist.com/av-killer…

In a recent incident response case in Brazil, we spotted intriguing new antivirus (AV) killer software that has been circulating in the wild since at least October 2024. This malicious artifact abuses the ThrottleStop.sys driver, delivered together with the malware, to terminate numerous antivirus processes and lower the system’s defenses as part of a technique known as BYOVD (Bring Your Own Vulnerable Driver). AV killers that rely on various vulnerable drivers are a known problem. We have recently seen an uptick in cyberattacks involving this type of malware.

It is important to note that Kaspersky products, such as Kaspersky Endpoint Security (KES), have built-in self-defense mechanisms that prevent the alteration or termination of memory processes, deletion of application files on the hard drive, and changes in system registry entries. These mechanisms effectively counter the AV killer described in the article.