|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Hello !
Yesterday I got a message from Microsfot Defenders about Hacktool:Win32/Winring0 in WinRing0x64.
I’m not the only one as you can see here: https://www.reddit.com/r/techsupport/comments/1j8jrs8/hack_tool_win32winring0/
For now I clicked on ignore but I’m afraid to restart my PC, could you tell me what to do plz ?
C:\Windows\system32\Drivers\WinRing0x64.sys has been flagged up occasionally after utility driver updates for over a decade, maybe two.
I’d put it in quarantine for a while in case of some wag trying a double-bluff.
Virustotal (mentioned in the reddit thread) gives it the okay from almost all the major (read trusted) AV companies, but something (an update, new software using it?) has changed.
If you know which utility software it belongs to (there are many using it) then you can allow deletion of the driver and look for a replacement or updated software in a week or so.
Not so easy – you’ll need to look for stuff like fan controllers, software that shows/measures temps/voltages/speeds etc. Many hardware/utility companies utilise it.
Probably best for you to list what you have in that range, if it’s only a few, which one runs automatically (Autoruns/TaskMan’s Startup apps tab… )?
My Anti-virus (AVG) sometimes does the same thing for part of one or more of the utility programs I use and it almost always winds up being a false positive.
Heck, I’ve even had my AVG block updates for a few of my utilities (7+ Taskbar Tweaker, Balaboka text 2 speech, Open-Shell, etc.) because it quarantined part of the actual installation program. And it does so even though it accepts the actual programs themselves as being virus/malware free!
The problem is, some utility programs, like what @satrow mentioned, use modules that can “appear” to be malware because of how they access the OS/system to do what they do.
Gigabyte Control Center
Yup, that’ll be the most likely – and it could have bitten me too but I’d uninstalled it after not using it for a couple of months.
I don’t see any change so it’s all good !!
https://github.com/Rem0o/FanControl.Releases/releases/tag/V217
Many of you reported that Defender started to flag the LibreHardwareMonitorLib driver (WinRing0x64.sys), you do not need to report it furthermore, I\u0027m aware of it. This kernel driver always had a known vulnerability that could be theoretically be exploited on an infected machine. The driver or the program itself are not malicious and are not more or less secure than before it got flagged. It is good practice to review the risk before any action is taken with Defender
* May not be false positive :
https://nvd.nist.gov/vuln/detail/cve-2020-14979
The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write to arbitrary memory locations. This allows any user to gain NT AUTHORITY\SYSTEM privileges by mapping \Device\PhysicalMemory into the calling process.
I’ll follow the advice of Satrow and update the software, I don’t really know what else to do.
allow local users
Yes, we should all worry about people with access to our machines tweaking them to run cooler and quieter….
Better allow them to open the windows and wear ear defenders, so sneak thieves can relocate them somewhere safe?
Ring0 is the Windows kernel, some software must have access to portions of that to measure/control base hardware and settings.
Update if the software you use is actually required for your needs. Lock the door when you leave.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
