wamsdk.sys
WatchDog Antimalware driver (patched build of amsdk.sys)
wamsdk.sys is the patched build (version 1.1.100) of WatchDog Antimalware's kernel driver, released by the vendor to fix arbitrary process termination in the original amsdk.sysDriveramsdk.sysWatchDog Antimalware driver (original, pre-patch build)Open plate → (version 1.0.600). WatchDog Antimalware is a consumer security product; the underlying driver is built on the Zemana Anti-Malware SDK, which is licensed to several third-party security tools. A gamer would have wamsdk.sys after installing WatchDog Antimalware.
Check Point Research documented in 2025 that the Silver Fox APT had been abusing the original amsdk.sys before the patch, then incorporated the patched wamsdk.sys into a new campaign anyway. Their researchers reported that the patch did not fully resolve the underlying process-termination issue, and that the operators bypassed hash-based blocklists by using a known weakness in how unauthenticated fields of Microsoft Authenticode signatures are validated, which let them publish driver copies with new file hashes while preserving the valid signature.
The Silver Fox campaign was geographically focused, targeting endpoint-protection products from Chinese and Asian vendors (Qihoo 360, Tencent, Kaspersky, Kingsoft, and others) before deploying its ValleyRAT payload.
If WatchDog Antimalware is installed and current, the driver is expected. Check Point's recommendation for defenders is to apply the latest Microsoft Vulnerable Driver Blocklist manually rather than relying on automatic updates, since the timestamp evasion produces hashes the auto-update lists do not yet have.
wamsdk.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “wamsdk.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/wamsdk-sys
