Possible FP with Intel driver?

[frapetti 1]

7 hours ago, Matevzg said:

Has anyone tried this?

I didn't find any pmxdrv64.sys file on the computer with pxmdrv.sys

Files inside the System32 folder are supposed to be 64 bits, anyways. 32 bit files go inside SysWOW64. Not very intuitive, but that's the Microsoft way 😅

[itman 1,721]

Has anyone contacted Intel in regards to providing the latest ver. of pmxdrv.sys download or at least a version greater than 1.0.0.1003.

I find it hard to believe that the driver is tied to a specific Intel(R) Management Engine Tools version.

[itman 1,721]

On 5/7/2024 at 4:43 PM, frapetti said:

Yes, but the ThinkPad X1 Carbon 6th Gen is not listed there.

Believe this is what you're looking for: https://support.lenovo.com/us/en/downloads/ds502325-intel-management-engine-118-firmware-for-windows-10-64-bit-thinkpad-t480-t480s-x1-carbon-6th-gen . Note that in the ReadMe for this download, no mention is made to CVE-2017's associated with the pmxdrv.sys driver vulnerability. Hopefully, it contains the updated ME driver.

I am also wondering if the X1 Carbon series PC's actual use the driver? Most of the patch security downloads for the affected Lenovo devices show a separate download for the ME driver. The X1 Carbon series PC's do not.

Edited May 21 by itman

[profilerx 0]

Hello guys, 
I have read every reply here. But I am still unsure I understood whether or not my data is in danger because of this file...
I have Lenovo T570 , intel i5 7th Gen.

I got this message from my antivirus program (not Eset):
The app C:\Windows\System32\drivers\pmxdrv.sys has been detected as a potentially unwanted application and was blocked. Detection name: Gen:Application.Venus.Ganymede.Pmx.2cK2@aiqbcMdi 

Detection happened after restart. I restarted because I installed oracle java 17 and Docker. (some minor win update I think also happened on restart)

So how much in danger am I ?

[itman 1,721]

15 hours ago, profilerx said:

Detection happened after restart.

Appears your AV is detecting the vulnerable pmxdrv.sys driver attempting to load at boot time via the Win ELAM interface and blocking the driver loading. This would also indicate the pmxdrv.sys is not a device driver.

If this PC hasn't blue screened and is running fine, it does raise the question of if the driver is actually required?

Edited May 23 by itman

[itman 1,721]

Before I forget and in regards to my above initial testing with the vulnerable RTCore64.sys driver, the following comment.

I decided to actually test Win 10/11 HVCI - Memory protection in regards to blocking this driver from running. Note my PC is 10 years old using an AMD Phenom II processor. I dropped the RTCore64.sys in C:\windows\temp directory and ran the following from an admin prompt window;

sc.exe create RTCore64.sys binPath=C:\windows\temp\RTCore64.sys type=kernel && sc.exe start RTCore64.sys

I overrode all Eset vulnerable driver access alerts in regards to the RTCore64.sys file.

The Win service was created w/o issue. But running the service which will create RTCore64.sys in C:\windows\System32\Drivers directory and load it from there resulted in an access denied message. Verified RTCore64.sys was not created in C:\windows\System32\Drivers directory. Further verified by presence of Service Control Event Id 7000 log entry showing the access denied activity.

Edited May 25 by itman

[Matevzg 2]

Hey guys,

just to follow up, I deleted the driver on numerous laptops about a week ago and so far no blue screens.