Malware installed on an endpoint device will often use “stealth” techniques to avoid traditional threat detection methods and remain hidden from system administrators. The level of sophistication of malware has evolved such that the malicious software residing on an endpoint device will often evade endpoint detection systems by hooking out functions in both the user and kernel space. For example, a hidden rootkit may hide its file input/output (I/O) activities from antivirus software that uses a file system driver to detect file I/O processing. A rootkit might also hook out network monitoring entry points as a further means to avoid detection.