Jump to content

inpoutx64.sys potentially dangerous application


Recommended Posts

Why does eset report Win64/HighRez.A threat in file C:\windows\system32\drivers\inpoutx64.sys application path c:\Widnows\system32\compattelrunner.exe. ?

Regards

Link to comment
Share on other sites

  • Administrators

It's a vulnerable driver that can be exploited for privilege escalation. It's on several blacklists, including the Microsoft's one.

Link to comment
Share on other sites

What should I do now? Was this driver installed with Windows or with other software? Can I add it to quarantine? Will there be no problems with the system? Or maybe it is needed for the system to work and needs to be updated? 

Link to comment
Share on other sites

  • Administrators

It appears that even the latest version from 2015 is vulnerable. You can quarantine the file and in case a legitimate application cannot run, create a detection exclusion.

Link to comment
Share on other sites

1 hour ago, tese01 said:

Was this driver installed with Windows or with other software?

Refer to this article: https://connect.tobii.com/s/article/TTL-InpOut?language=en_US . Also, other app software might use this driver

Appears compattelrunner.exe was scanning the system for installed software as it does and when it encountered inpoutx64.sys, this caused the Eset detection.

The bottom line is this driver is used by system parallel ports. The only thing I know that uses those are old printers.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

I stopped it with sc stop inpoutx64 and deleted the service with sc delete inpoutx64 and deleted the inpoutx64.sys file from the system32\drivers folder. I hope the system will not need the file.

The strange thing is that if Microsoft has this driver on the blacklist, why does it add it with the driver package? I understand that there is nothing to replace it with when using printers with a serial port?

I have another question about the MSI Afterburner and RTSS programs. After installing these programs, I received alerts from Eset about the RTCore64.sys threat. I know that there were BlackByte attacks in the past, but please tell me if it has already been patched and I can use these two programs? because the alert was still present.

Edited by tese01
Link to comment
Share on other sites

1 hour ago, tese01 said:

I have another question about the MSI Afterburner and RTSS programs. After installing these programs, I received alerts from Eset about the RTCore64.sys threat.

Based on this: https://hardforum.com/threads/major-security-vulnerability-in-msi-afterburner.2030538/ , the latest ver. of Afterburner is not vulnerable. I assume it installs a new version of RTCore64.sys driver. If Eset doesn't alert about it after latest Afterburner installation, you're good to go.

Link to comment
Share on other sites

I used msi afterburner version 4.6.5 and Eset warned me with alerts, I understand that version 4.6.6 does not cause alerts?

Can I use Eset with Malwarebytes in real time?

Link to comment
Share on other sites

  • Administrators
2 hours ago, tese01 said:

I used msi afterburner version 4.6.5 and Eset warned me with alerts, I understand that version 4.6.6 does not cause alerts?

Can I use Eset with Malwarebytes in real time?

The beta 4.6.6 still contains the 2-year old driver which is vulnerable and detected. However, you can create a detection exclusion with the path to the driver so that it will still be detected if potential malware dropped it in a different folder.

I mean if you run the application and the driver is detected, tick the "Exclude from detection" check-box and click Ignore.

image.png

As for MBAM, it is not recommended to use two or more real-time protection at a time, otherwise they would likely clash which might lead to unforseeable issues.

Link to comment
Share on other sites

Based on this;

Quote

Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft’s security guidelines on kernel memory access.

This makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit.

https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-abuses-legit-driver-to-disable-security-products/

I would say they is no safe way to allow this vulnerable driver to remain installed on the system regardless of where it is stored at.

Edited by itman
Link to comment
Share on other sites

MSI Afterburner can be replaced with Fan Control, which I have already done because I only needed the GPU fan curve, but there is a problem with displaying technical parameters because in order for another program to work, e.g. CapFrameX, it requires an RTSS program, which is also vulnerable to attacks.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...