It's not an anti-virus, it's intended to monitor all and everything on the machine. You^WAn attacker might want to hide what you're doing and thus it runs at that level.
You may be right but they do market it as "Next-Generation Antivirus (NGAV)"/"Antivirus with Threat Intelligence" probably because it's a word people are familiar with
I understand that these "NGAV" must be in ring 0 (device driver) because they want to inspect more things directly. And be more protected there, avoiding being attacked. I'm not sure they can achieve this.
