Possible FP with Intel driver?

[frapetti 2]

7 hours ago, Matevzg said:

Has anyone tried this?

I didn't find any pmxdrv64.sys file on the computer with pxmdrv.sys

Files inside the System32 folder are supposed to be 64 bits, anyways. 32 bit files go inside SysWOW64. Not very intuitive, but that's the Microsoft way 😅

[itman 1,748]

Has anyone contacted Intel in regards to providing the latest ver. of pmxdrv.sys download or at least a version greater than 1.0.0.1003.

I find it hard to believe that the driver is tied to a specific Intel(R) Management Engine Tools version.

[itman 1,748]

On 5/7/2024 at 4:43 PM, frapetti said:

Yes, but the ThinkPad X1 Carbon 6th Gen is not listed there.

Believe this is what you're looking for: https://support.lenovo.com/us/en/downloads/ds502325-intel-management-engine-118-firmware-for-windows-10-64-bit-thinkpad-t480-t480s-x1-carbon-6th-gen . Note that in the ReadMe for this download, no mention is made to CVE-2017's associated with the pmxdrv.sys driver vulnerability. Hopefully, it contains the updated ME driver.

I am also wondering if the X1 Carbon series PC's actual use the driver? Most of the patch security downloads for the affected Lenovo devices show a separate download for the ME driver. The X1 Carbon series PC's do not.

Edited May 21 by itman

[profilerx 0]

Hello guys, 
I have read every reply here. But I am still unsure I understood whether or not my data is in danger because of this file...
I have Lenovo T570 , intel i5 7th Gen.

I got this message from my antivirus program (not Eset):
The app C:\Windows\System32\drivers\pmxdrv.sys has been detected as a potentially unwanted application and was blocked. Detection name: Gen:Application.Venus.Ganymede.Pmx.2cK2@aiqbcMdi 

Detection happened after restart. I restarted because I installed oracle java 17 and Docker. (some minor win update I think also happened on restart)

So how much in danger am I ?

[itman 1,748]

15 hours ago, profilerx said:

Detection happened after restart.

Appears your AV is detecting the vulnerable pmxdrv.sys driver attempting to load at boot time via the Win ELAM interface and blocking the driver loading. This would also indicate the pmxdrv.sys is not a device driver.

If this PC hasn't blue screened and is running fine, it does raise the question of if the driver is actually required?

Edited May 23 by itman

[itman 1,748]

Before I forget and in regards to my above initial testing with the vulnerable RTCore64.sys driver, the following comment.

I decided to actually test Win 10/11 HVCI - Memory protection in regards to blocking this driver from running. Note my PC is 10 years old using an AMD Phenom II processor. I dropped the RTCore64.sys in C:\windows\temp directory and ran the following from an admin prompt window;

sc.exe create RTCore64.sys binPath=C:\windows\temp\RTCore64.sys type=kernel && sc.exe start RTCore64.sys

I overrode all Eset vulnerable driver access alerts in regards to the RTCore64.sys file.

The Win service was created w/o issue. But running the service which will create RTCore64.sys in C:\windows\System32\Drivers directory and load it from there resulted in an access denied message. Verified RTCore64.sys was not created in C:\windows\System32\Drivers directory. Further verified by presence of Service Control Event Id 7000 log entry showing the access denied activity.

Edited May 25 by itman

[Matevzg 2]

Hey guys,

just to follow up, I deleted the driver on numerous laptops about a week ago and so far no blue screens.

[karsayor 8]

On 6/17/2024 at 11:45 AM, Matevzg said:

Hey guys,

just to follow up, I deleted the driver on numerous laptops about a week ago and so far no blue screens.

Hi, so you deleted the file C:\Windows\System32\drivers\pmxdrv.sys or did any other action ? Do you have the pmxdrv64.sys anywhere ? Because I do not have it.

[BlueBear 2]

We are receiving the same notification for pmxdrv.sys (9E5FCAEA33C9A181C56F7D0E4D9C42F8EDEAD252). Does anyone know if there's been any newly released driver?

 

There's hardly any other info online and Google primarily provides this thread as the most relevant.

[itman 1,748]

3 hours ago, BlueBear said:

We are receiving the same notification for pmxdrv.sys (9E5FCAEA33C9A181C56F7D0E4D9C42F8EDEAD252). Does anyone know if there's been any newly released driver?

You will have to contact the manufacturer of the PC to determine if they have issued a firmware update for this driver.

[frapetti 2]

3 hours ago, BlueBear said:

We are receiving the same notification for pmxdrv.sys (9E5FCAEA33C9A181C56F7D0E4D9C42F8EDEAD252). Does anyone know if there's been any newly released driver?

 

There's hardly any other info online and Google primarily provides this thread as the most relevant.

The first step should be visiting the support website from the PC manufacturer. If there are any updated drivers, firmware, installed software, etc, it would be there.

[frapetti 2]

Also note what i wrote on the Lenovo forums:

Quote

So, i decided to remove the vulnerable driver altogether, by deleting pmxdrv.sys . So far, it doesn't seems to have caused any problems.

The vulnerability is really serious. Just by setting ESET to perform cautious cleaning of potentially insecure applications, it deletes the file.

source: https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/Vulnerable-driver-found-in-X1-Carbon-6th-Gen-notebook/m-p/5308580

So, in my case, deleting the driver didn't seem to have caused any problems. For what i readed, it's used in tools to perform PC management in enterprise environments, firmware upgrades, diagnostics, and the like, so i assume that deleting it could prevent you from doing that, and that reinstalling or updating the tool that installed could restore the driver (but make a copy of it, just in case).