← All drivers
vulnerable
Driver

shield.sys

Horizon DataSys disk-filter driver (RollBack Rx / Reboot Restore Rx primary filter)

From Horizon DataSys Inc.
Part of the Horizon family
Status
On a known-vulnerable list
Known variants
1 distinct hashes
Field notes

shield.sys is a kernel disk-filter driver shipped by Horizon DataSys with their RollBack Rx Professional and Reboot Restore Rx Professional system-recovery products. Recovery and rollback tools install a filter at the disk layer so they can snapshot system state and revert it; shield.sys is the primary filter in that family. Its siblings on the same install are shield-async.sysDrivershield-async.sysHorizon DataSys disk-filter driver (asynchronous variant)Open plate → (the asynchronous variant) and shieldwp.sysDrivershieldwp.sysHorizon DataSys disk-filter driver (write-protection variant)Open plate → (the write-protection variant); all three are signed by the same publisher and load as part of the same product install.

The three drivers are on the public LOLDrivers list (May 2026, issue #344) for their control interfaces, which can hand a local caller kernel-level read and write into memory. A separate sibling driver in the same product family, shieldm.sys, has a distinct flaw tracked as CVE-2025-29547 (a null-deref denial-of-service in v12.8). No CVE is assigned to the three siblings on this page.

If you use RollBack Rx or Reboot Restore Rx, all three are expected. If you do not, look at what installed them.

What the record shows

shield.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the Horizon family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “shield.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/shield-sys