Skip to main content

Driver Radar Pro: kernel mode driver security

Driver Radar Pro is a free application for Microsoft Windows devices that notifies you about programs that try to load kernel drivers.

Windows' kernel mode is used by core operating system components and trusted programs to provide them with the necessary privileges that only this mode offers.

Kernel mode is not restricted however, and any program can request kernel mode access, and the feature is sometimes exploited by sophisticated malware, for instance rootkits.

All modern versions of Windows ship with the User Account Control, a feature designed to block programs from executing high privilege tasks such as modifying the Registry, loading device drivers or modifying protected directories.

UAC prompts when a program tries to load a kernel mode driver but it won't reveal why a program requests access.

Driver Radar Pro

driver radar pro

That's when Driver Radar Pro comes into play. The program notifies you about any program requesting kernel mode driver access while Windows is running.

Note: make sure that running security software is whitelisted, as you may get a bluescreen or other crash otherwise.

It does not interfere with core Windows applications or drovers, and ships with a whitelist of programs that it won't warn you about either.

Driver Radar Pro ships with management options for that whitelist. You may remove any file hash, wildcard or signer from the whitelist, and use import and export features to make things more comfortable if you want to run the program on multiple devices.

The clear button is especially handy there as it removes all items to start with a blank slate.

whitelist

Notifications

The program itself displays a notification on the desktop whenever it notices a request for kernel mode driver access.

This happens for all requests, even from whitelist programs. The text and color of the notification is different though.

driver radar pro notification

blocked driver

The program offers no option to reload a driver when it is blocked initially. This means that you will have to add it manually to the whitelist which is not as convenient as a button would be to do so right from the prompt.

The ignore button displayed on the prompts add the driver to the list of exclusions. This will only block the notification from being displayed, but won't change the driver's actual state (allowed or blocked).

Settings

You may disable notifications in the program settings, and manage the list of exclusions there as well.

settings

The preferences of Driver Radar Pro are quite extensive. You may disable the program's autostart with Windows there, configure the logging of events, copy drivers to a specific folder, password protect the program, or enable sound notifications.

Main interface

The main program interface lists all events sorted by date. Each event is listed with the date and time, the user account it was executed under, the path and file name of the driver, publisher of the driver, and other information.

Red and green icons in front of each line indicate whether a driver was loaded on the device, or blocked on it instead.

driver radar pro interface

A right-click on a line opens a long list of options. You may run searches for the hash or driver name on Google or VirusTotal, add the hash, file path or signer to the program's whitelist to allow its execution, or open the file properties or the containing folder instead.

Verdict

Driver Radar Pro is a sophisticated program that is easy to use. It adds another layer of protection to Windows by blocking unknown drivers from being loaded with kernel mode privileges.

It ships with a handful of research options to find out more about drivers before deciding whether to add new ones to the whitelist.

 

This article was first seen on ComTek's "TekBits" Technology News

HOME