Drivers have to run in the kernel in order to access hardware and other low-level system resources. That's how pretty much every mainstream OS works. For example, here's the guide for writing kernel-mode drivers in Linux: https://docs.kernel.org/driver-api/driver-model/overview.htm...

One might ask whether an anti-virus really needs to run inside the kernel, but the answer might reasonably be yes.

That is only the lazy solution.

It is also possible to access hardware or any other low-level system resources from unprivileged user code, if its process has been granted appropriate access rights by the kernel.

This second solution requires more work, but it is much more secure as the access can be limited to only the strictly-required resources and system crashes become impossible.

The extreme of this solution is a micro-kernel operating system, but there is no need for extremes. Even in a Windows or Linux system you can use this method. You can have a very reduced privileged code in a driver or kernel module, which does nothing except providing access to the permitted resources. Then anything like attempting to access not mapped memory would happen in user code and it would crash only the user process, not the entire computer system.

Yes, I'm no security expert by any means but I'd assume that e.g. a rootkit would be best defeated by a kernel driver.

So, this isn't really what's getting on my nerves here. Just how it auto updates and get pushed throughout the organizations without a smidge of quality assurance. Smaller businesses... Sure, I get it. They don't have the resources to set up infra for this, but those... airliners... and hospitals. WTF. I read some org thinking they might not even be able to provide anesthesia. Seriously. What.

Probably history and then some possible anti-trust litigation. As asking market leader not allow access to kernel like this would somehow be anti-trust violation...