Question 1

What is DriverShield?

Accepted Answer

DriverShield is an automated threat intelligence platform that combines static and dynamic analysis to inspect Windows kernel-mode driver files (.sys) for vulnerabilities, malware indicators, BYOVD abuse patterns, and exploitation surfaces. It returns a 0-100 risk score and one of four verdicts: clean, suspicious, vulnerable, or malicious.

Question 2

What is BYOVD (Bring Your Own Vulnerable Driver)?

Accepted Answer

BYOVD is an attack technique where adversaries load a legitimate but flawed signed Windows kernel driver onto a target system to gain Ring-0 primitives - reading or writing arbitrary kernel memory, killing security processes, or disabling EDR callbacks. Because the driver is signed, default Driver Signature Enforcement allows it to load even on Secure Boot systems.

Question 3

How do I scan a Windows driver?

Accepted Answer

Open the home page, drag a .sys file (max 50 MB) into the upload area, solve the hCaptcha, and click Analyze. Analysis takes under 60 seconds and returns a detailed report with imports, IOCTL codes, YARA matches, MITRE ATT&CK techniques, code-signing metadata, and a composite risk score.

Question 4

Is DriverShield free to use?

Accepted Answer

Yes. Web scanning, hash lookup, the CVE library, signer atlas, BYOVD research index, and the public driver database are open to anyone. Authenticated users receive a personal API token for programmatic scans subject to a per-IP rate limit.

Question 5

What does the risk score mean?

Accepted Answer

The 0-100 composite score is the weighted sum of seven signals: external multi-engine detection (25%), dangerous kernel API imports (20%), YARA rule hits (15%), IOCTL risk (15%), known-vulnerable hash match (15%), packing entropy (5%), and behavioural string analysis (5%). Scores map to verdict bands: 0-29 clean, 30-59 suspicious, 60-79 vulnerable, 80-100 malicious.

Question 6

Can I upload only Windows drivers?

Accepted Answer

Yes. The platform only accepts Windows PE .sys files with valid kernel-subsystem headers. Other binary types are rejected at upload.

Question 7

Are my uploads private?

Accepted Answer

All uploaded samples and their analysis reports are public by default - DriverShield is a community threat intelligence resource. Uploaded files and SHA256 hashes appear in the open driver database and may be referenced from CVE or signer pages. Do not submit confidential, proprietary, or personal data.