Skip to content
Chimera readability score 68 out of 100, Academic reading level.

Threat actors know that most organizations are going to have some type of endpoint defenses, whether it’s next-generation antivirus (NGAV), endpoint detection and response (EDR), or an endpoint protection platform solution (EPP). Getting around these defenses is part of their playbook and tradecraft, covered in frameworks like MITRE ATT&CK under the Defense Evasion tactic and techniques like Impair Defense (T.1652).
These actors are moving beyond merely evading detection and even basic impairment to disabling threat-detection tools. This allows adversaries to create a "dark zone" where they can establish footholds, move laterally, exfiltrate data, and deploy ransomware with zero visibility to IT and security teams. This isn't just evasion; it’s an active destruction of the security stack.
Attacker tradecraft and tools: How they’re wrecking antivirus and EDR
There are multiple methods used by threat attackers as part of their tradecraft to impair, block, and disable endpoint security controls. Here’s a list of the most common approaches:
- Blocking AV and EDR communications
Attackers can blind EDR communications using malicious Windows Firewall rules via two approaches: directly creating the firewall rules, which is a bit noisy but effective, or using the Windows Filtering Platform (WFP) to create hidden firewall rules. These rules specifically block the EDR agent from communicating with its platform. The agent continues to run locally, giving the user a false sense of security, but it's effectively "silenced" and can't send any telemetry or alerts. Tools like EDRSandblast and EDRSilencer allow attackers to easily abuse Windows Firewall as part of their defense-evasion tradecraft.
- Escalate privileges, uninstall agents
Once an attacker lands on an endpoint, getting administrative privileges gives them much more latitude to install their tools, apply their tradecraft, and get to work. Sometimes, they might not even have to go through the effort if permissions aren’t properly secured, and any user has the right level of permissions to add or remove software.
Even though it can be a noisy approach, uninstalling an EDR agent is effective at blinding IT and security teams to an attack. Attackers are counting on the lack of real-time visibility to threats on an endpoint, so they won’t be detected even with such a noisy approach. - Bring Your Own Vulnerable Driver (BYOVD)
This is the new "gold standard" for EDR impairment. Attackers "bring" a legitimate, digitally signed driver that contains a known vulnerability (e.g., an old gaming driver or hardware utility). Because the driver is signed by a trusted vendor, Windows allows it to load into the kernel. The attacker then exploits the driver's vulnerability to gain kernel-mode access, which they use to unhook security monitoring or terminate protected EDR processes that even an administrator shouldn't be able to kill.
Real-world examples
The Huntress SOC and threat hunters consistently see threat actors trying to impair defenses, trying to uninstall our EDR agent, and using BYOVD to try to kill AV and the EDR agent. Here are some examples of the shady tradecraft our experts have detected.
- Messing with Defender Antivirus
Huntress frequently sees attackers try to blind Microsoft Defender Antivirus. They have several techniques to do this, like abusing Windows Firewall rules and abusing Defender exclusions.
Figure 1: Abusing Defender AV exclusions to exclude C: and C:\Windows drives
Figure 2: Abusing Windows Defender Antivirus exclusions to impair AV
- Uninstalling the EDR agent
Some attackers take the noisy route and just try to uninstall the EDR agent. They’ll use Add/Remove Tools if they’re on the endpoint on a desktop (like with RDP or a screenshare utility) or try from the command line.
Figure 3: Attacker gets a rogue RMM installed, connects to the endpoint, and then tries to uninstall the Huntress EDR agent from the command line.
- 2026, the year of BYOVD attacks?
In early February 2026, during an intrusion that began with compromised SonicWall VPN credentials, threat actors deployed a sophisticated "EDR Killer" binary. In this example, the attackers used a BYOVD approach, but with a unique twist to evade static detection, allowing it to bypass scanners looking for packed or encrypted malware.
The attacker dropped a legitimate forensic driver from EnCase. Although the driver’s certificate was from 2006 and had been revoked for years, it was still permitted to load due to a legacy "2015 exception" in Windows Driver Signature Enforcement. Once loaded, the attack allowed the attacker to terminate processes directly from the kernel. The malware was pre-programmed with a "hit list" of 59 different security processes from a large list of AV, EDR, and EPP tools. By calling the driver's termination function every second, the attackers ensured that even if a security service attempted to restart, it was instantly killed, leaving the system completely defenseless.
In March of 2026, Huntress reported on another example of threat actors using BYOVD, covering a sophisticated malvertising campaign targeting US taxpayers through Google Ads for "W-2" and "W-9" forms. The attack begins when a user clicks a malicious ad and is redirected to a site that installs a rogue ScreenConnect instance, providing the threat actors with remote access. Once inside the system, the attackers deploy a kernel-mode EDR killer that leverages a vulnerable, signed Huawei audio driver to terminate security processes from major vendors, effectively blinding the system's defenses.
What Huntress does to protect the hunters on the endpoint
- Detection of BYOVD
The latest feature we’ve added to Managed EDR enables Huntress to detect when attackers are abusing vulnerable drivers. We’re not looking for signs of the impact (e.g., antivirus not running or our EDR agent being killed), but the real-time abuse of a vulnerable driver by the adversary while hands-on-keyboard, which generates a signal to trigger our SOC to investigate and shut down the attack. One example is a device driver for TrueSight that’s been abused by attackers to kill antivirus and EDR tools.
Figure 4: Attacker abusing TrueSight device driver to likely kill antivirus and EDR tool.
- Detection and remediation of attacker abuse of Windows Firewall rules
Hackers are constantly looking for ways to tamper with security tools in order to operate under the radar. Huntress Managed EDR will detect, remediate, and alert the SOC when attackers abuse Windows Firewall to block communications between Huntress’ EDR agent and the Huntress Platform, and try to impair Windows Defender Antivirus.
Figure 5: Attacker abuses a legit application to impair communication of Huntress EDR
- Going even further with built-in Tamper Protection
Tamper Protection in Huntress Managed EDR is a security layer designed to prevent unauthorized users and threat actors from disabling, uninstalling, or interfering with our agent. It ensures constant security monitoring by preventing the Huntress agent from being stopped or deleted. An exclusion for a defined period of time can be set to allow administrative activities as needed, with the exclusion being automatically removed when the time window expires.
Want to learn more?
Protecting the endpoint security tools during an attack isn’t about chasing features, but having a deep understanding of attacker tradecraft–their tactics, techniques and procedures, their tools, and how they use those together to get around defenses.
If you want to experience the power of Huntress Managed EDR and see how we wreck hackers targeting endpoints, sign up for a free trial and see for yourself. Or speak to one of our experts today.

Facts Only

Threat actors use techniques like blocking AV/EDR communications via Windows Firewall rules or the Windows Filtering Platform (WFP).
Attackers may uninstall EDR agents directly or via command line, often after gaining administrative privileges.
Bring Your Own Vulnerable Driver (BYOVD) exploits signed but vulnerable drivers to gain kernel access and disable security tools.
In February 2026, attackers used a revoked EnCase driver to terminate 59 security processes, exploiting a legacy Windows exception.
In March 2026, a malvertising campaign deployed a Huawei audio driver to disable EDR tools after gaining access via rogue ScreenConnect instances.
Huntress detects BYOVD abuse in real-time, including misuse of drivers like TrueSight to kill security tools.
Huntress Managed EDR remediates unauthorized Windows Firewall rule changes and alerts on attempts to impair Defender Antivirus.
Tamper Protection in Huntress EDR prevents unauthorized agent removal, with temporary exclusions for administrative tasks.

Executive Summary

Threat actors are increasingly targeting endpoint security tools like antivirus (AV) and endpoint detection and response (EDR) systems to create "dark zones" where they can operate undetected. Their methods include blocking communications via Windows Firewall rules, uninstalling security agents, and exploiting vulnerable drivers (BYOVD) to disable protections. Real-world examples from 2026 highlight sophisticated attacks, such as the use of a revoked but still functional EnCase driver to terminate security processes and a Huawei audio driver in a malvertising campaign targeting U.S. taxpayers. Huntress, a security firm, has developed countermeasures, including detection of BYOVD abuse, remediation of firewall tampering, and tamper protection for its EDR agent. The escalation in attacker tradecraft underscores the need for adaptive defenses that anticipate and neutralize these evasion techniques.

Full Take

The article presents a compelling narrative about the escalating sophistication of cyber threats, particularly the active dismantling of endpoint defenses. The strongest version of this argument highlights real-world examples—like the 2026 EnCase driver exploit and the Huawei driver malvertising campaign—to demonstrate how attackers are weaponizing legitimate tools against security systems. This aligns with broader trends in cybersecurity, where adversaries leverage trusted components (e.g., signed drivers) to bypass protections, a tactic that exploits systemic trust in vendor certifications.
However, the piece leans heavily on Huntress’s proprietary solutions as the antidote, which could introduce a subtle bias toward their product. The focus on specific tools (e.g., EDRSandblast, TrueSight) and Huntress’s detection capabilities, while informative, risks framing the problem as solvable only through their technology. This could overshadow broader industry challenges, such as the need for systemic improvements in driver signing policies or Windows legacy exceptions.
Root cause: The narrative assumes a paradigm where security is a perpetual arms race, with defenders always one step behind. Yet it under-examines structural vulnerabilities—like Microsoft’s driver signature enforcement loopholes—that enable these attacks. The implications for human agency are stark: if security tools can be so easily neutralized, what recourse do organizations have beyond vendor-specific fixes? The cost of this cat-and-mouse game falls disproportionately on smaller entities without resources for advanced defenses.
Bridge questions: How might industry-wide collaboration (e.g., revoking legacy driver exceptions) mitigate these threats more effectively than point solutions? What role should regulatory bodies play in enforcing stricter driver certification standards? Would a shift toward zero-trust architectures render these evasion techniques obsolete?
Counterstrike scan: If this were part of a coordinated campaign, the playbook would emphasize fear (e.g., "dark zones," "active destruction") to drive urgency toward a specific vendor’s solution. While the article provides concrete examples, its focus on Huntress’s capabilities could align with a marketing-driven narrative. However, the technical details and real-world cases suggest genuine expertise rather than manipulation. No clear structural alignment with an influence campaign is detected.
Patterns detected: none

Sentinel — Human

Confidence

This analysis appears to be a highly specialized, domain-specific report, likely derived from a human threat intelligence source, characterized by deep technical specificity and a proprietary focus on attack tradecraft.

Signals Detected
low severity: Controlled sentence rhythm and high lexical density; technical vocabulary is used precisely.
low severity: High coherence across complex technical concepts; functions effectively as a targeted briefing.
medium severity: Specific, complex examples (e.g., BYOVD timeline, specific malware names, kernel-mode techniques) are presented, suggesting deep domain expertise or highly specific data sourcing.
medium severity: References to specific future dates (2026) and highly specific, detailed attack steps, while grounded in real threat concepts, require careful verification.
Human Indicators
The text utilizes a specific, proprietary perspective ('Huntress SOC and threat hunters'), which is a strong human-centric framing.
The incorporation of specific, detailed technical mechanisms (WFP, BYOVD, kernel-mode access) and associated detection logic suggests deep, domain-specific knowledge rather than generic AI synthesis.
The narrative shifts effectively between attacker tradecraft and defensive solutions, a structure common in human threat intelligence reporting.
Threat Actor Defense Evasion: How Attackers Disable AV & EDR — Arc Codex