aswarpot.sys
Avast / AVG antivirus driver
aswArPot.sys is a kernel driver associated with Avast and AVG security products. Some older versions are on the public LOLDrivers list for CVE-2022-26522 and CVE-2022-26523, a pair of vulnerabilities that allowed local privilege escalation through the driver's communication channel. Avast patched both in 2022.
Trend Micro and SentinelOne published detailed reports later that year describing criminal extortion groups deliberately installing the older vulnerable Avast driver onto already-compromised systems and using it to terminate other security products before encrypting files. This is the classic BYOVD pattern, ironically using an antivirus driver to disable antivirus.
It is typically present on systems running current Avast or AVG products. Keep them updated; if Windows' blocklist refuses to load an older Avast driver, that is the protection working.
aswarpot.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 40 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “aswarpot.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/aswarpot-sys
