Microsoft’s attention to WinRing0 has finally come to fruition and Defender is flagging it as severe and subjecting it to quarantine. However, one can restore it and it’ll be an allowed threat.
WinRIng0 is a kernel driver released to the Open Source community by OpenLibSys.org about 20 years ago. It loads as WinRing0_1_2_0 (v1.2.0.5) and abandoned by its creator, Noriyuki Miyazaki, a long time ago.
There is a reddit thread focused on a popular EVGA product, but the dialogue for WinRing0, regardless of product, is universal and exhaustive.
gringrant’s conclusion is ominous: “If you choose to override Defender, know that your OS’s front door is open, and any program you run can use it for whatever they wish.”
I have two apps, OpenHardwareMonitor and as Open Source Developer, Noriyuki Miyazaki, CrystalDiskInfo 8, with the former Allow App Launch, the others Add Rule and the latter all Ad Rule.
Would SpyShelter now protect from any behavior evoked by WinRing0? I would think that’d be under System Integrity Control. High is my custom setting.
If not, is it something it could do in a hopefully soon update?
From what I understood, malware might try to load this vulnerable driver, so in paranoid mode, SpyShelter should alert about this. You can continue to use Fan Control or other tools who make use of this driver, just don’t let untrusted apps load drivers, problem solved.
Since you don’t use SS15. your understanding is less than zero. Stop cluttering up my posts with your poser bloat.
This is your modus operandi in that other forum as is participation in the “SS15 isn’t SS12” babble.
I wonder how many folks checked in here to read your way-too many “SS15 doesn’t do every buzz-word thing I want it to do” and decided against its purchase. Kudos to Carl’s fortitude.
SS15 is UNIQUE with modules and protections not present in any other anti-whatever product, by anyone, anywhere. I recognized it within days of my beta testing, bounced off of my 30 years in enterprise support, including but not limited to Regulation P and HIPAA.
I’m afraid it’s you who has zero understanding. It was already confirmed that SS 15 will most likely alert about this WinRing0 driver being loaded, your question was already answered. But you probably didn’t even understand it, so who is the real poser?
And many people were disappointed because SS 15 doesn’t offer the same level as protection as SS 12, so those posts of mine have the goal to make SS 15 better. Your childlike fanboyish behavior is pathetic, and I think people don’t need me in order to decide if SS 15 is worth it or not. If developers didn’t have any problems with my posts, who are YOU?
I have decided to take a look again at this WinRing0 driver issue, and it seems like it’s not so much about malicious tools that try to load this driver, but apparently malware can communicate with this driver to elevate privileges, so SpyShelter (and other security tools) can’t do anything about this.
I know there are other examples of where malware need to load so called vulnerable drivers, and this can be stopped. But apparently they can also abuse already installed drivers, so then the only option is to stop using legitimate tools that use these drivers, or to simply not run any malicious tools. So at the end of the day, AV should take care of this.
@RasheedHolland you posted in another thread you cannot respond until I reply? So I am replying in case it is helpful for this issue, but I have not heard of this issue with Discourse before.
That’s why I’m saying that this forum software sucks. You should be able to post multiple times in a row, even if nobody replied.
But anyway, I only found one example of malware abusing this driver, and it did load the WinRing0 driver, see first link. This is what we call a ‘‘Bring Your Own Vulnerable Driver’’ attack, see second link.
But I assume it could have also simply abused an already installed WinRing0 driver, that comes with legitimate apps. But malware can’t know for sure if this exploitable driver is installed or not.
I assume that most malware will try to load such an exploitable/vulnerable driver, since it can’t know if such a driver is already installed, unless it’s a Windows OS driver. So this should be stopped by SpyShelter. The problem with the Windows OS design is that you can’t block malicious behavior from drivers. So once a driver is loaded and malware can interact with it, it’s mostly game over.
Yes, please change the settings, because like you said, I might as well edit my posts, so what difference does it make if I post multiple times in a row without any response, know what I mean?
BTW, can you take a look at this post, I wonder if SpyShelter has a rules manager? So basically, every time some app is allowed or denied to perform some action, this should also be visible in a rules manager, but I never saw this in any screenshot, so that’s why I wondered about it.
Thanks @RasheedHolland! Yes, we posted AppControl here in the forum when it was first released in February. It is exciting to see it in PCMag.
Are you able to install AppControl? If so, you can go to its “Apps” screen and see the rules system there in person on your own PC.
Below is SpyShelter where you can see how the rules look there. You can see one app is quarantined then you can see an app was blocked from accessing the mic, and another was allowed to access the webcam/mic there.
No, I can’t install AppControl on Win 10. Would be cool if they also reviewed SpyShelter, because with SS you can actually block stuff. But I’m not sure if you guys will merge AppControl and SpyShelter.
About the rules manager, can you also see which apps are allowed to access protected folders? And which apps are allowed to load/install services and drivers? I assume the third icon is about folder access right?
BTW, about these exploitable drivers, there is a website where all of these drivers are tracked. I believe Windows Defender should block most of them. Perhaps an idea to make SpyShelter alert if such a driver is somehow loaded by some app.
And what I said earlier about that security tools can’t actually monitor malicious behavior from drivers, back in 2011 Intel bought McAfee, and they came up with DeepSAFE, it was pretty cool, but it never actually took off, perhaps it was too risky for some security tool to sit on top of Windows.
