HEX DEREF ANTI-MALWARE X: Advanced endpoint protection, NGAV featuring malware analysis functionality in one product

A proactive Next-Generation Antivirus (NGAV) solution featuring malware analysis functionality with memory forensics, which is specifically designed for malware analysts who performs manually dynamic analysis, comes with a kernel driver (written in C/C++) that protects the device in real time similarly to advanced endpoint protections. This solution respects user privacy and does not track your browsing history, unlike almost all others.

Key features:

  • Zero Trust
  • Root cause analysis
  • Reducing the attack surface to almost nothing
  • Data breach detection
  • Application control based on the certificate signer's name (The user manages the list of allowed applications)
  • Advanced endpoint protection beyond traditional signature-based antivirus solutions requiring no signature updates or reboots
  • The source code is available for purchase as part of a customized software development solution, tailored to meet the specific needs of your company

The solution logs all processes along with their command lines and network connections into the database. This supports the investigation of potential data breaches and malware analysis.

In the solution's Zero Trust mode, the attack surface shrinks to almost nothing, and all processes that are not added to the allowed list (excluding those signed by Microsoft) are blocked at the kernel level in real time (1ms response time). This ensures that even a previously undetecteded most sophisticated malware cannot inflict any damage. It’s worth noting that processes are not added individually to the allowlist, but based on the certificate.

Your company’s SOC team or equivalent tests all unknown or untrusted code before adding it to the allowlist. This approach differs from competitors, where trusted applications can be added based solely on their EV code signing certificate. The allowed applications list is maintained by the device user. This can be tailored through software development to suit your organization’s requirements.

The user interface (UI) has been coded with C# .NET 8.0 so that the project would be easier to customize and be more easily modifiable.

This solution does not require or use any third-party additional protection layers. Therefore, the kernel driver is stable, and the source code is maintainable and well-documented.

Despite all the efforts (as of 06/2025, 3.5+ years of constant development by the author), the solution is a work in progress (WiP). If you're a malware analyst or work in a SOC/TIER1/TIER2/TIER3/CSIR/DFIR team. The solution is for you.

If you have a cybersecurity-related company and can obtain a valid EV code-signing certificate for a kernel driver, please get in touch. Thank you.

Real-time kernel-level features (many already coded feature is to be added):

  • Detects whether a running or newly launched process is digitally signed and, depending on the settings, prevents this process from starting if it is not
  • Identifies whether the PE file (EXE, DLL or a kernel driver) has a digital signature or not
  • Block any process from loading a DLL without a digital signature
  • Operates primarily at the kernel level
  • BYOVD (Bring Your Own Vulnerable Driver) protection (detects/prevents administrator-to-kernel transition that is used in kernel mode malwares)

* * * The majority of malwares, if not all, are not digitally signed. An unsigned executable doesn't automatically mean malicious software. If we consider protecting a company's server from cyber threats, it is easier to prevent the execution of an unknown unsigned code at the kernel level with default settings. If a software is needed that uses a DLL (Dynamic Link Library) that is not digitally signed, it is manually analyzed and added to the white list. At this point, the risk of ransomware causing any damage has already been minimized.

  • Proactively detects a previously unknown malware, and in a certain situations including those operating in the kernel memory
  • Data breach detection
  • Kernel physical memory scanner
  • User-mode memory scanner, including (WinTcb) protected processes
  • Self-integrity checks that detects if the malware attempted to disable the protection at the user or kernel level. In this context, proactivity means that the solution responds in real-time based on predefined measures.
  • Secure IOCTL communication (The Exploitation #1 and Exploitation #2 mentioned in the article is not possible with this protection). Certificates are not revoked, and your company avoids reputational damage with these measures
  • Works alongside Windows Defender
  • It's easy to use, and with just one setting change, a home user becomes a malware analyst. Best of all, home users get better protection for their devices than what's even found in most enterprise EDR/XDR/EPP/NGAV solutions!

Depending on the settings, the solution either reduces the attack surface or completely prevents the operation of the malware in most situations. In practice, this solution forces the malware to become visible.

Availability of the source code

Your malware analysts are as good as the softwares they use. The source code is available for purchase as a software work non-exclusively without resale rights for internal use within a company.

Proactivity means that the solution can automatically perform a predefined action, for example, take a physical memory dump and upload it to a remote server for further analysis.

ABOUT AUTHOR

I am self-taught coder (a total of 14 years of coding experience as of 06/2024 in PHP/C#/C/C++). I don't have a bachelor but that does not mean that I am not capable. I am also a hobbyist Windows internals researcher and reverse engineer. A work of mine: PatchGuard bypass at runtime I coded overlayhack.com in PHP back in 2012 and later improved the codes 2018 and designed it's MySql database. My motto is. If I need to get something done. I will just do it and I am usually very good at what I do.