AVs that block (non-malware) driver load?

Dejan_Maksimovic · August 16, 2023, 11:39am

Hello,

I saw a few cases where I am suspecting some AV is blocking FilterLoad. I cannot easily test if StartService works here, nor what AVs are installed (it will take several weeks to do so).
FilterLoad returns “Privilege not held”, even though SE_LOAD_DRIVER is enabled. Since the drivers can be installed, I am suspecting it might be some AV that blocks a driver load? One/two cases having random user->privilege assignments I can figure, but there are a lot more cases.

Anyone have other ideas?

Regards, Dejan.

Scott_Noone_OSR · August 23, 2023, 3:31pm

Did you check the Event Log to see if there’s anything about the block?

Dejan_Maksimovic · August 23, 2023, 4:12pm

I do not have access to it, it is on end-user computers

Scott_Noone_OSR · August 24, 2023, 1:24pm

Can you ask for someone to export and send them? We often ask for the System and Application event logs as part of triage.

Dejan_Maksimovic · August 25, 2023, 12:19pm

No, none where this happens.
It will take a few months before we can get those logs.
It started around June BTW.

Regards, Dejan.