poortry.sys
POORTRY: Microsoft-signed kernel malware
POORTRY (poortry.sys, poortry1.sysDriverpoortry1.sysPOORTRY variantOpen plate →, poortry2.sysDriverpoortry2.sysPOORTRY variantOpen plate →) is the kernel-mode half of a small toolkit publicly disclosed in December 2022 whose only job is to terminate antivirus and EDR processes. The user-mode loader (called STONESTOP) installs and steers it; the driver exposes an IOCTL surface for killing protected processes from kernel mode.
The reason it is famous, and the reason it sits at the top of every published list of malicious drivers, is that it was signed through Microsoft's own Windows Hardware Quality Labs (WHQL) program. SentinelOne (case 75361) and Mandiant disclosed the toolkit to Microsoft in October 2022; Microsoft published advisory ADV220005 and revoked the certificates used. Investigation revealed that several Microsoft Partner Center developer accounts had been used to submit malicious drivers and obtain Microsoft signatures. Mandiant tracked one user as UNC3944, the SIM-swap-adjacent crew also publicly associated with high-profile telecom and gaming-publisher intrusions.
Unlike most entries in this catalog, POORTRY is not part of any legitimate product. It is malware. Vera notes it on the public record because the security industry has named it, named the disclosure timeline, and named who used it. If this filename is on a system, the answer is not 'update the vendor.' There is no vendor. Take it to incident response.
poortry.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “poortry.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/poortry-sys
