Jump to content

EVGA component driver WinRing0x64.sys detected after... five years?


Go to solution Solved by itman,

Recommended Posts

This morning when I woke up and started my computer, ESET threw a warning at me that CompatTelRunner.exe was trying to access C:\Program Files (x86)\LED Sync\WinRing0\WinRing0x64.sys. Which is a file that it has seen for over five years, and comes from the legitimate hardware vendor EVGA. ESET this morning labeled it as a Potentially Unsafe Application. Which I find really odd its being malware for FIVE YEARS that ESET didn't detect?

I went ahead and cleaned by deleting, and then submitted a sample from quarantine to ESET - But I'm just curious if this is in fact legitimate malware, or potentially a false positive. The Hash on the file was 012DB3A80FAF1F7F727B538CBE5D94064E7159DE - Which when searched via VirusTotal, gives a completely clean profile with no detections. Including ESET!

I'm a little weirded out by all this. Particularly since ESET on my computer flagged this file after so long, and ESET on Virus Total seems to not flag it at all. Is something weird happening here?

I don't quite know how to submit the file here out of quarantine, as ESET will likely flag it as I attempt to move it. But I can submit a log from ESET log collector, if that helps. 

Edited by Tetranitrocubane
Link to comment
Share on other sites

  • Administrators

The detection is correct, was added in February already. Detection of pot. unsafe applications is disabled by default. Also we add a PUsA detection when it's obvious that a particular application has been seen to have been exploited and misused in attacks. So it's normal that we may start to detect a particular PUsA after years.

Link to comment
Share on other sites

Posted (edited)

If this detection was correct, does that mean my system has been infected for five years without my knowing it? What steps should I take next?

Also, as this was a legitimate piece of software downloaded from EVGA, should I take steps to notify them that their software is compromised? Or was this malicious on the part of EVGA?

Edited by Tetranitrocubane
Link to comment
Share on other sites

After the removal of the EVGA Precision tool that used this file, a full system scan was performed, and didn't reveal anything untoward. No detections.

With a backdoor open for that long, I'm somewhat hesitant to conclude everything is okay - But I confess I may be being paranoid. Is there any other measure that would need to be taken after the cleaning of the initial file?

Link to comment
Share on other sites

  • Most Valued Members

I believe it's nothing to be mad at ESET for , Without analysis but it could be that this software has been used in some exploits several times which made ESET include it as unsafe application, but the safety of the program depends on it's developers , it happened to ASUS before that where malicious actors used their software to deploy their malware to people who had their software

But having the detection after 5 years is a good indication that ESET will reanalyze or remake their decisions even on old software.

I doubt you are compromised, but the detection just shows that this application can be misused and harm your device, uninstalling it is the better option , if you still don't trust ESET results , you could run another scanner like Kaspersky or Windows Defender which could scan without realtime so it won't conflict with ESET.

Link to comment
Share on other sites

6 minutes ago, itman said:

As far as Eset's valid detection of this driver, refer to this: https://www.cvedetails.com/cve/CVE-2020-14979/ . The solution is upgrade the driver to a non-exploitable version.

I am also wondering why Eset took two years to start flagging the driver.

To be clear, then, this driver was detected due to a vulnerability which could potential be exploited - Not because the driver itself is directly malicious?

As I no longer require this software, I have completely uninstalled it. I'm just curious if any further mitigation is necessary. If the driver itself were directly malicious, I would expect it to compromise the system at a level beyond uninstallation being the solution.

Thank you much for the detail on this.

Link to comment
Share on other sites

1 minute ago, Tetranitrocubane said:

To be clear, then, this driver was detected due to a vulnerability which could potential be exploited - Not because the driver itself is directly malicious?

Correct.

However, any software that can be exploited is potentially malicious. Further, exploitation can and have bypassed any detection's by security software.

Edited by itman
Link to comment
Share on other sites

3 minutes ago, itman said:

Correct.

However, any software that can be exploited is potentially malicious. Further, exploitation can and have bypassed any detection's by security software.

A fair point. Do you believe that this software's presence means that ESET's detections are now unreliable by consequence?

Admittedly, the software has not been loading the driver, as I have not been running it for a long while. Still, the vulnerability WAS present.

Link to comment
Share on other sites

1 minute ago, Tetranitrocubane said:

A fair point. Do you believe that this software's presence means that ESET's detections are now unreliable by consequence?

Eset a few months back started using Mitre's ATT&CK Matrix: https://attack.mitre.org/ in earnest. As such as long as a vulnerability CVE has been published, Eset can now respond to it in a timely fashion.

Link to comment
Share on other sites

2 minutes ago, itman said:

Eset a few months back started using Mitre's ATT&CK Matrix: https://attack.mitre.org/ in earnest. As such as long as a vulnerability CVE has been published, Eset can now respond to it in a timely fashion.

Sorry - I phrased that poorly.

What I meant is that, after uninstalling the EVGA software and running a full system scan, ESET didn't find any further malicious software of note. Is this result to be trusted, or because of the vulnerability in the EVGA software, should it be treated with suspicion (As you mentioned "exploitation can and have bypassed any detection's by security software.")

Link to comment
Share on other sites

2 minutes ago, Tetranitrocubane said:

ESET didn't find any further malicious software of note. Is this result to be trusted, or because of the vulnerability in the EVGA software, should it be treated with suspicion

Since Eset's detection was here:C:\Program Files (x86)\LED Sync\WinRing0\WinRing0x64.sys, I am assuming it was a user mode driver. It appears the vulnerability was to allow exploitation to in essence, give the driver kernel mode privileges.

It is virtually impossible to determine if the driver has been exploited in the past. The best determination if past exploitation occurred is if malware mysteriously appeared on your device.

Link to comment
Share on other sites

2 minutes ago, itman said:

Since Eset's detection was here:C:\Program Files (x86)\LED Sync\WinRing0\WinRing0x64.sys, I am assuming it was a user mode driver. It appears the vulnerability was to allow exploitation to in essence, give the driver kernel mode privileges.

It is virtually impossible to determine if the driver has been exploited in the past. The best determination if past exploitation occurred is if malware mysteriously appeared on your device.

Understood - At this point I suppose the best course of action is to keep an eye on it and hope that it was not exploited before it could be removed.

Thanks very much for your help and guidance on this.

Link to comment
Share on other sites

3 hours ago, Tetranitrocubane said:

Understood - At this point I suppose the best course of action is to keep an eye on it and hope that it was not exploited before it could be removed.

I wouldn't be concerned.

Average individual users are seldom exploited.

Exploiting falls in the category of targeted attacks. The targets are entities that either present financial advantages or political motivation to the attacker. Deploying an exploit requires the attacker to perform a number of activities, the first of which is recognizance against the target's IT infrastructure to determine if vulnerable software exists.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...