BYOVD: The Windows Kernel Internals That Let Attackers Kill Your EDR

In February 2026 Huntress investigated an intrusion where adversaries decoded and loaded an expired/revoked EnCase kernel driver (EnPortv.sys) to gain Ring 0 access and neutralize EDRs via Bring Your Own Vulnerable Driver (BYOVD) techniques; the report explains how Windows kernel architecture and driver-signing exceptions (no CRL checks, legacy acceptance) enable arbitrary kernel memory read/write, callback tampering, and PPL stripping, describes three vulnerability classes exploited in the wild, documents the attack chain and payload obfuscation, and recommends mitigations such as enabling HVCI/Memory Integrity, deploying WDAC/allowlisting, auditing drivers, monitoring driver installation, and enforcing credential hygiene.