EnPortv.sys
EnPortv.sys refers to an EDR-killer tool observed abusing the legitimate but vulnerable/revoked Guidance Software EnCase kernel driver EnPortv.sys in a Bring Your Own Vulnerable Driver (BYOVD) technique to disable security products on Windows systems. In the reported Huntress incident, the malware was a 64-bit executable disguised as a legitimate firmware update utility. It installed the old EnCase driver as a fake OEM hardware service to achieve reboot-resistant persistence, then used the driver’s kernel-mode IOCTL interface to terminate security processes, including bypassing Protected Process Light (PPL). The tool reportedly targeted 59 EDR- and antivirus-related processes and ran a kill loop every second to terminate restarted defenses. The intrusion in which it was used began with compromised SonicWall SSL VPN credentials on an account without MFA, followed by internal reconnaissance including ping sweeps, NetBIOS probes, SMB activity, and high-rate SYN flooding. Huntress assessed the activity as likely ransomware-related, although the final payload was not deployed before the intrusion was disrupted. High-confidence indicators and traits directly mentioned include abuse of the EnPortv.sys EnCase driver, use of a revoked certificate that Windows still accepted due to legacy signing/timestamp behavior, masquerading as an OEM hardware service, and repeated termination of security tooling from kernel mode.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate but revoked EnCase kernel driver abused via BYOVD to gain kernel-level capabilities and terminate EDR/AV processes (including bypassing Protected Process Light) through its IOCTL interface; used as part of a custom EDR-killer tool with persistence via a fake OEM hardware service.
A legitimate but revoked EnCase kernel driver abused via BYOVD to gain kernel-level capabilities and terminate EDR/AV processes (including bypassing Protected Process Light) through its IOCTL interface; used to provide reboot-resistant persistence by registering as a fake OEM hardware service.
A legitimately signed (but expired/revoked) EnCase forensic kernel driver repurposed via BYOVD. Once loaded, it exposes IOCTLs (notably KillProc via IOCTL 0x223078) that allow a user-mode controller to terminate arbitrary processes from kernel mode, bypassing user-mode protections (including PPL) and effectively disabling EDR/AV tooling.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.