Unloading the Sysmon Minifilter Driver

The binary fltMC.exe is used to manage minifilter drivers. You can easily load and unload minifilters using this binary. To unload the Sysmon driver you can use:

fltMC unload SysmonDrv

If this binary is flagged, we can unload the minifilter driver by calling the ā€˜FilterUnloadā€™ which is the Win32 equivalent of ā€˜FltUnloadFilterā€™. It will call the minifilterā€™s ā€˜FilterUnloadCallbackā€™ (PFLT_FILTER_UNLOAD_CALLBACK) routine. This is as same as using fltMC which is a Non-mandatory unload.
For calling this API SeLoadDriverPrivilege is required. To obtain this privelege adminsitrative permissions are required.

Hereā€™s a simple C code I wrote to call the ā€˜FilterUnloadā€™ API.

https://github.com/OsandaMalith/WindowsInternals/blob/master/Unload_Minifilter.c

[gist https://gist.github.com/OsandaMalith/3315bc640ff51227ab067052bc20a445]

Note that when unloading a minifilter driver by the FilterManager, it will be logged under the System log.

References:
https://www.osr.com/nt-insider/2017-issue2/introduction-standard-isolation-minifilters/

2 thoughts on ā€œUnloading the Sysmon Minifilter Driverā€

  1. Pingback: Unloading the Sysmon Minifilter Driver ā€“ ?Blog of Osanda ā€“ The Library 6.0
  2. Pingback: Week 39 ā€“ 2019 ā€“ This Week In 4n6

Leave a Reply