Ninjaguardian 0 Posted May 18 Share Posted May 18 ESET is blocking a file from MSI Mystic Light. I have included a photo of the error ESET shows. The name changes but always starts with is- and ends with .tmp ALSO: I pressed ignore the first time I installed this.... So if it is a virus I would like to know. I also have little knowledge on submitting to ESET sample lab. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,127 Posted May 18 Administrators Share Posted May 18 The installer contains a vulnerable driver. Also Microsoft recommends to block it: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules Quote Link to comment Share on other sites More sharing options...
itman 1,701 Posted May 18 Share Posted May 18 (edited) Here's a MSI forum posting on the vulnerable driver issue: https://forum-en.msi.com/index.php?threads/mystic-light-driver-ene-sys-flagged-as-a-vulnerable-driver.373963/page-2 . If Eset is alerting on ene.sys, the following applies; Quote ene.sys is a system file related to EneTechIo or EneIo, developed by ENE Technology, usually installed with driver software for ENE Technology’s hardware products. If you don’t have a hardware device from ENE specifically but still have the error message about ene.sys, then please check to see if there’s a program controlling the RGB lighting on your keyboard and/or mouse. Appears the MSI Mystic Light installer you are running is using a vulnerable ene.sys driver version and trying to install it. It appears Mystic Light is supposed to be installed from the MSI Center software. I assume the latest download of it doesn't contain the vulnerable driver. I would start over again by uninstalling your existing MSI Center software; download its latest version here: https://www.msi.com/Landing/mystic-light-rgb-gaming-pc/how-to ; and then install Mystic Light as instructed from the MSI download page. -EDIT- Also uninstall MSI Companion; Quote So, I tried uninstalling/reinstalling MSI Center and restarted, but it didn't fix the problem at first. Next, I uninstalled MSI Center and saw that MSI Companion was also installed. I uninstalled that as well, restarted, reinstalled MSI Center, restarted again for good measure, and all is well. https://forum-en.msi.com/index.php?threads/ene-sys-driver-compatibility-error.395860/#post-2252676 Alternatively, you could first try to update the Mystic Light software from the MSI Center; Quote You may scan / update Mystic Light software via MSI Center software. (Please refer to software manual for detail procedure). and see if the update contains a non-vulnerable driver version. Edited May 18 by itman Aryeh Goretsky 1 Quote Link to comment Share on other sites More sharing options...
Ninjaguardian 0 Posted May 18 Author Share Posted May 18 (edited) I reinstalled MSI center and Mystic Light, ESET still detects it. Is there a way to get MSI to fix this? I will try contacting support. Edited May 18 by Ninjaguardian Quote Link to comment Share on other sites More sharing options...
itman 1,701 Posted May 18 Share Posted May 18 (edited) I guess I should have asked who is your PC manufacturer? I assumed it was MSI. The Mystic Light software is provided by a number of PC manufacturers; ASUS being another one. There is a forum posting from two years ago on a Mystic Light vulnerable driver detection: https://forum.eset.com/topic/32126-eset-flagging-drivers-as-potential-malware/#comment-149732 . In this instance, Eset was detecting MSIO64.SYS which is a known vulnerable driver. It is also a RGB support driver. We need to clarify two things; 1. Who is the PC manufacturer? 2. What vulnerable driver/s is Eset detecting. From your Eset Detection log, copy the entry related to Mystic Light driver detection. Paste it in your forum reply. It will contain a hash value that I can use at VirusTotal to determine what is the driver name. -EDIT- To copy an Eset Event log entry, right button mouse click on the entry and select Copy. Edited May 18 by itman Quote Link to comment Share on other sites More sharing options...
Ninjaguardian 0 Posted May 18 Author Share Posted May 18 It is MSI. Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 5/18/2024 11:50:30 AM;Real-time file system protection;file;C:\Program Files (x86)\MSI\MSI Center\Mystic Light\is-UON8M.tmp;Win64/WinIO.D potentially unsafe application;cleaned by deleting;OWENPC\carte;Event occurred on a new file created by the application: C:\Users\carte\AppData\Local\Temp\is-VCFMO.tmp\Mystic Light_3.0.8.7.tmp (9D8C15976059897585082955C4FF1194B2922D05).;0B01C4C1F18D72EB622BE2553114F32EDFE7B7AA;2/17/2024 10:56:48 AM Quote Link to comment Share on other sites More sharing options...
itman 1,701 Posted May 19 Share Posted May 19 (edited) 18 hours ago, Ninjaguardian said: 0B01C4C1F18D72EB622BE2553114F32EDFE7B7AA The driver name is EneIo64.sys. It appears to be the 64 bit version of the ene.sys driver discussed previously. EneIo64.sys is a vulnerable driver as verified here: https://www.loldrivers.io/drivers/90ecbbf7-b02f-424d-8b7d-56cc9e3b5873/ . Checking the version number of MSI Center download from MSI web site, it appears to be latest version. You will have to contact MSI directly about the issue since I could find no non-vulnerable replacement driver references on the web. You can also try posting in the MSI forum about the issue. Edited May 19 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,701 Posted May 19 Share Posted May 19 (edited) FYI - an example of how the driver can be exploited; Quote However, this sample attempts to work with an EneIo or EneIo64 device name, which means it probably attempts to load ene.sys driver developed by “ENE Technology“. According to Ahnlab’s report, the Enelo driver is capable of accessing kernel physical memory and I/O port directly and it has a vulnerable mechanism to verify the source that calls its functionality. While other vendors have described a rootkit that disables multiple behavior monitoring features such as Registry callback, Object callback, Process-related callback, File system callback, Windows Filtering Platform (WFP) callback, and Event Tracing for Windows (ETW) callback, the newly discovered malware specifically targets security products by modifying the callback tables of certain APIs. It wipes the callback addresses of process/thread creation and module loading callbacks, thereby disrupting the functionality of security products. It is important to note that we have added the ability to prevent the exploitation of EneIo vulnerable drivers to our products. https://ics-cert.kaspersky.com/publications/reports/2023/10/18/updated-mata-attacks-industrial-companies-in-eastern-europe/ Edited May 19 by itman Quote Link to comment Share on other sites More sharing options...
Ninjaguardian 0 Posted May 19 Author Share Posted May 19 I posted here: https://forum-en.msi.com/index.php?threads/msi-center-mystic-light-vulnerable-driver.397398/ Quote Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 20 Most Valued Members Share Posted May 20 13 hours ago, Ninjaguardian said: I posted here: https://forum-en.msi.com/index.php?threads/msi-center-mystic-light-vulnerable-driver.397398/ If you don't need their app to control the RGB for example , I tend to remove the manufacturer software directly when I get my hands on the computer , I consider them as bloatware sitting in the PC being useless and out-of-date. MSI should update their driver but I don't know if they will do or how fast they will Quote Link to comment Share on other sites More sharing options...
itman 1,701 Posted May 20 Share Posted May 20 (edited) Reviewing the above posted Kaspersky article excerpt, there is another possible explanation for MSI's use of a vulnerable EneIo64.sys driver. It appears EneIo64.sys is some type of "helper" driver used to install the ene.sys driver. As such, EneIo64.sys is not being permanently installed on the device and is only used during Mystic Light software installation. The way Eset detects vulnerable drivers is upon access to the associated .sys file. Assumed is the Eset detected .tmp file containing EneIo64.sys is being accessed by the installer to be renamed, installed, and then loaded. The main question is if this driver remains installed after the Mystic Light installation completes? If it does not, I don't see an issue here allowing access to the .tmp file. The "big if" here is if the MSI Center installer download has not been compromised. I see a poster on the MSI forum is recommending using the MSI Center Cleaner utility to uninstall it. Then download MSI Center from MS Store and install it. Let's see if this resolves the EneIo64.sys issue. Edited May 20 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,701 Posted May 20 Share Posted May 20 I will also note that there might not be an immediate resolution to this vulnerable driver issue. As I see it MSI is including in its Mystic Light installer, software from the RGB vendor, ENE Technology, including required drivers. MSI will have to reach out to ENE Technology for an updated EneIo64.sys driver. Then update its MSI Center installer. This leaves you to make the decision to override Eset alert notification. Quote Link to comment Share on other sites More sharing options...
.thumb.jpg.d0dae4df7d520793aba4b217c88691a6.jpg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.