tese01 0 Posted April 2 Share Posted April 2 Why does eset report Win64/HighRez.A threat in file C:\windows\system32\drivers\inpoutx64.sys application path c:\Widnows\system32\compattelrunner.exe. ? Regards Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted April 2 Administrators Share Posted April 2 It's a vulnerable driver that can be exploited for privilege escalation. It's on several blacklists, including the Microsoft's one. Quote Link to comment Share on other sites More sharing options...
tese01 0 Posted April 2 Author Share Posted April 2 What should I do now? Was this driver installed with Windows or with other software? Can I add it to quarantine? Will there be no problems with the system? Or maybe it is needed for the system to work and needs to be updated? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted April 2 Administrators Share Posted April 2 It appears that even the latest version from 2015 is vulnerable. You can quarantine the file and in case a legitimate application cannot run, create a detection exclusion. Quote Link to comment Share on other sites More sharing options...
itman 1,662 Posted April 2 Share Posted April 2 (edited) 1 hour ago, tese01 said: Was this driver installed with Windows or with other software? Refer to this article: https://connect.tobii.com/s/article/TTL-InpOut?language=en_US . Also, other app software might use this driver Appears compattelrunner.exe was scanning the system for installed software as it does and when it encountered inpoutx64.sys, this caused the Eset detection. The bottom line is this driver is used by system parallel ports. The only thing I know that uses those are old printers. Edited April 2 by itman Quote Link to comment Share on other sites More sharing options...
tese01 0 Posted April 2 Author Share Posted April 2 (edited) I stopped it with sc stop inpoutx64 and deleted the service with sc delete inpoutx64 and deleted the inpoutx64.sys file from the system32\drivers folder. I hope the system will not need the file. The strange thing is that if Microsoft has this driver on the blacklist, why does it add it with the driver package? I understand that there is nothing to replace it with when using printers with a serial port? I have another question about the MSI Afterburner and RTSS programs. After installing these programs, I received alerts from Eset about the RTCore64.sys threat. I know that there were BlackByte attacks in the past, but please tell me if it has already been patched and I can use these two programs? because the alert was still present. Edited April 2 by tese01 Quote Link to comment Share on other sites More sharing options...
itman 1,662 Posted April 2 Share Posted April 2 1 hour ago, tese01 said: I have another question about the MSI Afterburner and RTSS programs. After installing these programs, I received alerts from Eset about the RTCore64.sys threat. Based on this: https://hardforum.com/threads/major-security-vulnerability-in-msi-afterburner.2030538/ , the latest ver. of Afterburner is not vulnerable. I assume it installs a new version of RTCore64.sys driver. If Eset doesn't alert about it after latest Afterburner installation, you're good to go. Quote Link to comment Share on other sites More sharing options...
tese01 0 Posted April 3 Author Share Posted April 3 I used msi afterburner version 4.6.5 and Eset warned me with alerts, I understand that version 4.6.6 does not cause alerts? Can I use Eset with Malwarebytes in real time? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted April 3 Administrators Share Posted April 3 2 hours ago, tese01 said: I used msi afterburner version 4.6.5 and Eset warned me with alerts, I understand that version 4.6.6 does not cause alerts? Can I use Eset with Malwarebytes in real time? The beta 4.6.6 still contains the 2-year old driver which is vulnerable and detected. However, you can create a detection exclusion with the path to the driver so that it will still be detected if potential malware dropped it in a different folder. I mean if you run the application and the driver is detected, tick the "Exclude from detection" check-box and click Ignore. As for MBAM, it is not recommended to use two or more real-time protection at a time, otherwise they would likely clash which might lead to unforseeable issues. Quote Link to comment Share on other sites More sharing options...
itman 1,662 Posted April 3 Share Posted April 3 (edited) Based on this; Quote Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft’s security guidelines on kernel memory access. This makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit. https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-abuses-legit-driver-to-disable-security-products/ I would say they is no safe way to allow this vulnerable driver to remain installed on the system regardless of where it is stored at. Edited April 3 by itman Quote Link to comment Share on other sites More sharing options...
tese01 0 Posted April 4 Author Share Posted April 4 MSI Afterburner can be replaced with Fan Control, which I have already done because I only needed the GPU fan curve, but there is a problem with displaying technical parameters because in order for another program to work, e.g. CapFrameX, it requires an RTSS program, which is also vulnerable to attacks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.