← All drivers
vulnerable
Driver

echo_driver.sys

Echo anti-cheat / screenshare scanner driver

From Inspect Element Ltd. (Echo)
Status
On a known-vulnerable list
Known variants
1 distinct hashes
Public CVEs
1
Field notes

echo_driver.sys is the kernel driver of Echo (echo.ac), a commercial anti-cheat and screenshare-scanning tool from Inspect Element Ltd. that game communities, notably Minecraft PvP and RustGameRustOpen plate → servers, use to help admins detect cheating tools on a player's machine. It is a real, signed commercial product.

It earns a place on the blocklist for a reason this section keeps meeting: the anti-cheat tool itself became the vulnerability. Security researchers (the 'EchOh-No!' writeup by 'Protocol,' with kite03 and Lemon) found that vulnerable versions had weak access controls allowing privilege escalation, which made the driver a bring-your-own-vulnerable-driver candidate. The flaw is tracked as CVE-2023-38817 and affects Echo versions below 5.2.1.0.

Microsoft added the driver to its Vulnerable Driver Blocklist and the signing certificate was revoked. It is the same shape as the Capcom story: a driver built to police cheating that, in a vulnerable build, became a way to attack the system it ran on.

If you play on a community that uses Echo, a current version may be present legitimately. A vulnerable older echo_driver.sys outside that context is the thing to look at.

What the record shows

echo_driver.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

Public CVEs
What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “echo_driver.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/echo-driver-sys