← All drivers
malicious
Driver

poortry1.sys

POORTRY variant

From Unknown threat actor (Microsoft-signed)
Part of the POORTRY family
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

poortry1.sys is a variant of POORTRY, the WHQL-signed kernel malware publicly disclosed by SentinelOne and Mandiant in December 2022. Same toolkit, same purpose (terminating antivirus and EDR processes from kernel mode), same Microsoft advisory ADV220005. See the entry for poortry.sysDriverpoortry.sysPOORTRY: Microsoft-signed kernel malwareOpen plate → for the full story.

Not a legitimate vendor driver. If present on a system, treat as evidence of compromise and escalate to incident response.

What the record shows

poortry1.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “poortry1.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/poortry1-sys