For the last few days or so, various users online have reported that their fan control and/or other PC hardware monitoring applications are being flagged by Microsoft Defender. Affected apps include ones from Razer, SteelSeries, and many more. These applications are getting flagged due to an underlying "WinRing0x64.sys" system driver that Microsoft warns as "HackTool:Win32/Winring0" and Defender is quarantining the threat immediately upon detection.
As it turns out "WinRing0 is a hardware access library for Windows" and allows Windows apps to "access I/O ports, MSR (Model-Specific Register), and PCI" bus.
OpenRGB for example states on its GitHub
repo that it "uses the WinRing0 driver to access the SMBus interface" on Windows PCs. SMBus or system management bus helps in communication between low-bandwidth requirement devices. You may have come across the term for
chipset drivers like that of AMD's.
Interestingly, it is not entirely wrong on Microsoft's part to flag it since the driver is indeed vulnerable. The developer of the popular free fan control app called "Fan Control" has explained that applications like these which rely on the open-source LibreHardwareMonitorLib driver (WinRing0x64.sys) are technically correctly being flagged. That is because the driver can theoretically be exploited as it remains unpatched.
www.neowin.net
