Quick Answer
nsogroup-pegasus-driver.sys is a kernel/user-space driver component associated with NSO Group Pegasus deployments. It manages policy updates, telemetry, and low-level OS integration for enterprise devices under controlled environments.
Is it a Virus?
✔ NO - Safe
Must be in C:\Program Files\NSO Group\Pegasus\Driver\nsogroup-pegasus-driver.sys or C:\Windows\System32\drivers\nsogroup-pegasus-driver.sys
Can I Disable?
✔ YES, but expect loss of remote management and telemetry
Disabling will stop Pegasus policy updates and may break device management features in enterprise deployments
What is nsogroup-pegasus-driver.sys?
nsogroup-pegasus-driver is a collection of kernel-mode and user-space components used by NSO Group's Pegasus software to provide device access, policy enforcement, and data collection on managed endpoints. It includes a driver, an agent, and a telemetry service that work together to maintain persistence and operability in enterprise deployments.
The driver set combines a kernel-mode component, a user-mode service, and telemetry tasks to enable policy delivery, event logging, and data capture while minimizing disruption to normal system operation.
Quick Fact: Pegasus driver components are commonly deployed in targeted environments with centralized management, making them visible in Task Manager as multiple related processes and services.
Components of the Pegasus Driver
- Kernel Driver: Low-level OS interface for device management (1 instance)
- User-Mode Service: Policy delivery and coordination with management servers
- Telemetry Agent: Data collection and reporting to central servers
- Update Manager: Handles driver and component updates
- Persistence Layer: Ensures components restart after reboot
- Error Handling Utility: Diagnostics and health checks for the driver suite
Is nsogroup-pegasus-driver Safe?
Yes, nsogroup-pegasus-driver can be legitimate when installed as part of an enterprise Pegasus deployment from NSO Group, but it is also a high-risk component that should only exist in controlled environments and with explicit approval.
Is nsogroup-pegasus-driver a Virus or Malware?
The legitimate nsogroup-pegasus-driver is not a standard virus. However, Pegasus components are often targeted by attackers, so verify digital signatures and location.
How to Tell if nsogroup-pegasus-driver is Legitimate or Malware
- File Location:: Must be in
C:\Program Files\NSO Group\Pegasus\Driver\nsogroup-pegasus-driver.sys or C:\Windows\System32\drivers\nsogroup-pegasus-driver.sys. Any other path is suspicious.
- Digital Signature:: Right-click the file in Explorer -> Properties -> Digital Signatures. The signer should be NSO Group; verify the certificate chain for
C:\Program Files\NSO Group\Pegasus\Driver\nsogroup-pegasus-driver.sys signer.
- Resource Usage:: Normal usage for such a driver is low; spikes above 5-8% during maintenance may indicate activity beyond expected scope.
- Behavior:: During normal operation without Pegasus enrollment, the driver should remain idle; any persistent activity with network connections is suspicious.
Red Flags: If nsogroup-pegasus-driver.sys appears in TEMP folders (C:\Users\<user>\AppData\Local\Temp), lacks a digital signature from NSO Group, or runs when no Pegasus policy is active, scan immediately.
Why Is nsogroup-pegasus-driver Running on My PC?
nsogroup-pegasus-driver runs to support enterprise device management and surveillance features as part of Pegasus deployments. It may also run during updates or policy enforcement tasks initiated by the management server.
Reasons it's running:
- Active Enterprise Deployment: The device is enrolled in an NSO Pegasus management policy, enabling remote configuration and data collection.
- Background Telemetry: Telemetry collection and reporting to the Pegasus management server may keep the driver active.
- Policy Update/Enforcement: New security or policy updates are pushed, requiring driver activity.
- Device Compliance Checks: Periodic checks to ensure device posture and compliance with enterprise requirements.
- Maintenance Windows: Scheduled maintenance tasks trigger driver activation for diagnostics and updates.
Can I Disable or Remove nsogroup-pegasus-driver?
Disabling the driver is possible but not recommended in managed environments. Doing so can disable policy delivery, telemetry, and management features, and may violate enterprise security policies.
How to Stop nsogroup-pegasus-driver
- End Management Tasks: In Windows, stop Pegasus services from Services.msc (look for nsogroup-pegasus-*)
- Disable Startup: Disable Pegasus components in Task Manager > Startup to prevent automatic start
- Remove from System: Uninstall enterprise Pegasus agent or management suite per organization procedure
- Check Group Policy: Ensure removal doesn't violate MDM or domain policies
- Verify Persistence: Reboot and verify the driver does not reappear without approval
How to Uninstall nsogroup-pegasus-driver
- ✔ Contact your IT administrator for enterprise uninstall guidance
- ✔ Use the organization's MDM/management console to remove Pegasus components
- ✔ If an official uninstall utility is provided, run it and follow prompts
Common Problems: High CPU or Memory Usage
If nsogroup-pegasus-driver is consuming excessive resources or behaving unexpectedly:
Common Causes & Solutions
- Active Pegasus policy updates: Ensure the device has the latest policy updates and perform a supervised update cycle.
- Telemetry-heavy tasks: Limit or schedule telemetry tasks via policy, or set maintenance windows.
- Conflicting security software: Exclude Pegasus components from real-time scanning per administrator guidelines.
- Outdated components: Update nsogroup-pegasus-driver and related agents to latest version.
- Misconfigured startup: Disable autostart only via admin-managed settings; do not remove driver entirely.
- Excessive data collection: Review data collection policies and minimize scope as allowed by policy.
Quick Fixes:
1. Quick Fixes:
2. 1. Open Task Manager and identify the nsogroup-pegasus-driver-related processes.
3. 2. Ensure Pegasus components are updated to the latest enterprise version.
4. 3. Review policy settings that may cause periodic activity and adjust if allowed.
5. 4. Check for conflicting security software and create enterprise-approved exclusions.
6. 5. Update OS and Pegasus components to latest versions.
Frequently Asked Questions
What is nsogroup-pegasus-driver?
nsogroup-pegasus-driver is a kernel/user-space driver component used in Pegasus deployments to enable policy delivery, telemetry, and device management on enterprise endpoints.
Is nsogroup-pegasus-driver safe?
It can be legitimate when installed by an organization's Pegasus deployment; verify the path and digital signature to confirm authenticity.
Can I disable nsogroup-pegasus-driver?
You can disable components, but this may stop remote management and telemetry. Always consult your IT administrator before disabling.
How can I tell if nsogroup-pegasus-driver is legitimate?
Check the file location (should be under Program Files NSO Group Pegasus Driver) and verify a valid NSO Group digital signature.
What should I do if I suspect Pegasus driver tampering?
Check Event Viewer for related logs, contact security teams, and verify against vendor management console for policy issues.
How do I remove nsogroup-pegasus-driver?
Follow enterprise uninstall procedures via your MDM/management console or vendor-provided uninstall utility.