Windows is flagging some monitoring applications as malware, and it's for good reason

A couple of days ago, we reported that a Windows update had resulted in printers printing gibberish for no apparent reason. These types of bugs are not entirely uncommon on Windows, which makes sense given that it’s a monolithic piece of software with years-old code running on over a billion devices. Recently, multiple users also claimed that the operating system is falsely flagging some harmless hardware monitoring applications as malware. While the initial understanding was that this issue was being triggered by a Windows bug, it appears that this is not the case after all.

Many popular applications are affected

As spotted by Neowin, some hardware monitoring and fan control applications from vendors like Razer, SteelSeries, and others are being classified as malware by Microsoft Defender, and are being immediately quarantined. The antivirus software is warning users about a HackTool:Win32/Winring0, referring to the WinRing0x64.sys system driver. For those unaware, this driver is utilized by applications to communicate with various internals, so it makes sense that hardware monitoring applications appear to be most affected by this flagging.

Not really a false positive

Source: Michael Geiger (Pexels)

While many thought that this was likely a false positive being reported by Microsoft Defender, the developer of the FanControl app has noted in a GitHub release that this driver has a known vulnerability which has not been patched. The change log states:

Many of you reported that Defender started to flag the LibreHardwareMonitorLib driver (WinRing0x64.sys), you do not need to report it furthermore [sic], I\u0027m aware of it. This kernel driver always had a known vulnerability that could be theoretically be [sic] exploited on an infected machine. The driver or the program itself are not malicious and are not more or less secure than before it got flagged. It is good practice to review the risk before any action is taken with Defender.

Similarly, Razer also rolled out a patch in late February to get rid of this driver’s utilization in its Synapse code. Indeed, the National Vulnerability Database (NVD) has been tracking this exploit as CVE-2020-14979 since August 2020. If you search for the vulnerability, you’ll come across many forum threads which discuss this exploit and related applications being flagged as malware by other antivirus software, so it’s interesting that Microsoft has decided to take action now.

For now, it seems like customers of affected software should reach out to their respective vendors to release updates which eradicate the need for this system driver. If that is not possible, it seems like users will have to choose between ignoring the warnings from Microsoft Defender or not using the affected applications at all. Seeing that patching the driver is apparently a complicated process, and it hasn’t been fixed in almost five years since being tracked on NVD, it’s unlikely we’ll get an official fix in the future.