← All drivers
vulnerable
Driver

wamsdk.sys

WatchDog Antimalware driver (patched build of amsdk.sys)

From Watchdog Development
Part of the WatchDog family
Status
On a known-vulnerable list
Known variants
2 distinct hashes
Field notes

wamsdk.sys is the patched build (version 1.1.100) of WatchDog Antimalware's kernel driver, released by the vendor to fix arbitrary process termination in the original amsdk.sysDriveramsdk.sysWatchDog Antimalware driver (original, pre-patch build)Open plate → (version 1.0.600). WatchDog Antimalware is a consumer security product; the underlying driver is built on the Zemana Anti-Malware SDK, which is licensed to several third-party security tools. A gamer would have wamsdk.sys after installing WatchDog Antimalware.

Check Point Research documented in 2025 that the Silver Fox APT had been abusing the original amsdk.sys before the patch, then incorporated the patched wamsdk.sys into a new campaign anyway. Their researchers reported that the patch did not fully resolve the underlying process-termination issue, and that the operators bypassed hash-based blocklists by using a known weakness in how unauthenticated fields of Microsoft Authenticode signatures are validated, which let them publish driver copies with new file hashes while preserving the valid signature.

The Silver Fox campaign was geographically focused, targeting endpoint-protection products from Chinese and Asian vendors (Qihoo 360, Tencent, Kaspersky, Kingsoft, and others) before deploying its ValleyRAT payload.

If WatchDog Antimalware is installed and current, the driver is expected. Check Point's recommendation for defenders is to apply the latest Microsoft Vulnerable Driver Blocklist manually rather than relying on automatic updates, since the timestamp evasion produces hashes the auto-update lists do not yet have.

What the record shows

wamsdk.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the WatchDog family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “wamsdk.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/wamsdk-sys