| Confirmed compromise | System event logs, process creation logs, or kernel telemetry show unexpected child processes spawned by driver threads or cldflt.sys interfaces with SYSTEM credentials. | Process execution telemetry showing highly privileged shells (cmd.exe, powershell.exe) with parent process execution context linked to the Cloud Files service. | Quarantine the host, initiate incident response, and capture active memory dumps. | Perform a full system wipe, rotate compromised host credentials, and apply future official Microsoft security updates. |
| Presumed exposed | The firewall or endpoint runs a standard Windows installation with cldflt.sys loaded and active in the mini-filter registry space. | Registry query indicating the CldFlt service is set to start automatically (Start = 2 or Start = 1). | Restrict local non-admin login permissions and implement strict endpoint detection rules. | The official Microsoft patch is successfully deployed and the driver is updated. |
| Potentially exposed | A system runs Windows desktop or server OS, but the active state of the Cloud Files driver has not been audited. | Asset records identifying active Windows hosts without registry start-type verification. | Execute the registry and driver load audit script. | Confirm if the driver is not loaded, disabled, or if the asset has been updated. |
| Not exposed | The cldflt.sys driver service is completely disabled or uninstalled. | Registry verify showing CldFlt service Start type is disabled (Start = 4). | None for this zero-day. | Negative configuration verification is recorded. |