DriverShield - Frequently Asked Questions

Common questions about kernel driver analysis, BYOVD, risk scoring, uploads, privacy, and the DriverShield API.

Frequently Asked Questions

What is DriverShield?

An automated threat intelligence platform that combines static and dynamic analysis to inspect Windows kernel-mode driver files (.sys) for vulnerabilities, malware, BYOVD abuse, and exploitation surfaces.

What is BYOVD?

BYOVD (Bring Your Own Vulnerable Driver) is the technique of loading a legitimate but flawed signed Windows kernel driver to obtain Ring-0 primitives - read or write arbitrary kernel memory, kill security processes, disable EDR callbacks - bypassing endpoint defences.

How do I scan a driver?

Visit the home page, drag your .sys file into the upload area, solve the captcha, and click Analyze. Results appear within 60 seconds.

Is DriverShield free?

Yes. Web scanning, hash lookup, CVE library, signer atlas, BYOVD research index, and the public driver database are open to anyone. Registered users receive an API token for programmatic access.

What does the risk score mean?

The 0-100 composite is the weighted sum of multi-engine consensus (25%), dangerous kernel API imports (20%), YARA rule hits (15%), IOCTL risk (15%), known-vulnerable hash match (15%), entropy (5%), and behavioural strings (5%). Bands: clean 0-29, suspicious 30-59, vulnerable 60-79, malicious 80-100.

Are my uploads private?

No - DriverShield is a public threat-intelligence platform. All uploads and reports become part of the open database. Do not submit confidential or proprietary samples.

Can I integrate DriverShield into my pipeline?

Yes - the REST API exposes both hash lookup (no auth) and file upload (token-based) endpoints.