Question Windows Security FP?

[n8chavez]

Anyone have any insight into Windows Defender detecting C:\WINDOWS\system32\Drivers\WinRing0x64.sys as Trojan:Win32/Vigorf.A. Virus total sees 4/72 detections as dangerous, and there does seem to be quite a lot of discussions about this detection being false. Still, it as nor detected as bad yesterday, and every article I've found on it being an FP is from months ago. Anyone have any thoughts? Is this safe, or is this MS Security catching a legit threat?

 

[lokamoka820]

I think the file/driver itself is safe, but it could be used by a malicious software if it is a kernel based driver, this is why MS Defender consider it unsafe.

 

[RoboMan]

Seems to be flagged as such because of Defender's understanding of it being vulnerable. Also, upon searching online it seems to be highlighted as an unsafe driver or even be considered a HackTool due to its ability to read/write arbitrary memory at kernel-level.

Read: https://forum.eset.com/topic/46390-threat-flagged-winring0x64sys/

It seems that this driver is used for controlling PC components (FanControl, LibreHardwareMonitor, OpenRGB, etc).

Read: Threats detected: Trojan:Win32/Vigorf.A - Microsoft Q&A

All in all, it seems that it is a false positive due to the driver's nature.

 

[Divergent]

Anyone have any insight into Windows Defender detecting C:\WINDOWS\system32\Drivers\WinRing0x64.sys as Trojan:Win32/Vigorf.A. Virus total sees 4/72 detections as dangerous, and there does seem to be quite a lot of discussions about this detection being false. Still, it as nor detected as bad yesterday, and every article I've found on it being an FP is from months ago. Anyone have any thoughts? Is this safe, or is this MS Security catching a legit threat?

WinRing0x64.sys is a well-known driver used by many popular hardware monitoring and customization utilities. These include applications for controlling fan speeds, RGB lighting, and monitoring CPU/GPU temperatures.

It is important to note that this driver has a known vulnerability. Because it provides direct, low-level access to hardware, it could theoretically be exploited by other malicious software already on your system to gain elevated privileges. This doesn't mean the driver itself is malicious, but rather that it's a component that security software is beginning to view as a potential risk. Microsoft's recent detection is likely a policy decision to flag this potentially vulnerable driver, even in the absence of malicious activity.

This is very likely a false positive.

Identify the Source, determine which application installed this driver. Do you use software like MSI Afterburner, CPU-Z, or any RGB/fan control utilities?

Update Your Software, check for updates for your hardware monitoring software. Developers are aware of this issue and may have released versions with an updated, less vulnerable driver.

 

[Parkinsond]

LibreHardwareMonitor

Any program based on LibreHardwareMonitor get flagged by not only MD, but also B; B previously flagged TrafficMonitor sys file for the same reason.

 

[n8chavez]

So, the consensus is that this is a false positive and is not malicious? Good. But it's interesting this was not flagged yesterday, but was today.

 

[lokamoka820]

Any program based on LibreHardwareMonitor get flagged by not only MD, but also B; B previously flagged TrafficMonitor sys file for the same reason.

This is odd I use Sidebar Diagnostics, which is based on Libre Hardware Monitor, and it has never been flagged.

 

[Parkinsond]

This is odd I use Sidebar Diagnostics, which is based on Libre Hardware Monitor, and it has never been flagged.

I had it with openhardware monitor, liberhardwaremonitor, and trafficmonitor, on several occasions by both MD and B; looks specific versions with some signature updates cause the conflict.
After those warnings, I prefered to use CoreTemp; it has no librehardwaremonitor sys files and do the same task more lightly.

 

[lokamoka820]

I had it with openhardware monitor, liberhardwaremonitor, and trafficmonitor, on several occasions by both MD and B; looks specific versions with some signature updates cause the conflict.
After those warnings, I prefered to use CoreTemp; it has no librehardwaremonitor sys files and do the same task more lightly.

Core Temp in no-no for me because of the origin of the developer, HWiNFO64 is my final destination for everything hardware related.

 

[Parkinsond]

Core Temp in no-no for me because of the origin of the developer, HWiNFO64 is my final destination for everything hardware related.

Let us keep software away from politics and religion

 

[Sorrento]

Hw-Info does all for me

 

[Parkinsond]

Hw-Info does all for me

It is good, but consumes more CPU and RAM compared to CoreTemp; meanwhile, I am not in need for the extra data it provides (only require CPU temp and RAM utilization in taskbar).