A recent wave of reports has emerged from Windows users, highlighting a perplexing issue where popular hardware monitoring applications are being mistakenly flagged as malware by Microsoft Defender. This situation has sparked confusion, particularly as it follows a series of other bugs associated with Windows updates, including a notable instance where printers began producing nonsensical output.
Many popular applications are affected
As detailed by Neowin, applications from well-known vendors such as Razer and SteelSeries have found themselves under the scrutiny of Microsoft Defender, which has classified them as potential threats. The antivirus software cites a specific concern regarding a driver known as HackTool:Win32/Winring0, linked to the WinRing0x64.sys system driver. This driver is essential for hardware monitoring applications to interact with system internals, making it particularly susceptible to such flagging.
Not really a false positive
Initially perceived as a mere false positive, further investigation reveals a more complex reality. The developer of the FanControl application has acknowledged on GitHub that the WinRing0x64.sys driver possesses a known vulnerability that has yet to be addressed. In their update, they stated:
Many of you reported that Defender started to flag the LibreHardwareMonitorLib driver (WinRing0x64.sys), you do not need to report it furthermore [sic], I’m aware of it. This kernel driver always had a known vulnerability that could be theoretically exploited on an infected machine. The driver or the program itself are not malicious and are not more or less secure than before it got flagged. It is good practice to review the risk before any action is taken with Defender.
In a proactive response, Razer has also implemented a patch in February to eliminate the use of this driver within its Synapse software. Notably, this vulnerability has been tracked by the National Vulnerability Database (NVD) under the identifier CVE-2020-14979 since August 2020. A search for this vulnerability reveals numerous discussions across forums, indicating that other antivirus solutions have similarly flagged these applications as potential threats.
For users of the affected software, the path forward appears uncertain. They may need to contact their respective vendors for updates that remove reliance on the problematic driver. Alternatively, users face a challenging decision: either disregard the warnings from Microsoft Defender or forgo the use of these applications altogether. Given the complexity of patching this driver and the fact that it has remained unaddressed for nearly five years, a timely resolution seems unlikely.
