Some Windows PC owners woke up earlier this week to find their computers suddenly spamming them with Windows Defender alerts about a new “HackTool” called WinRing0. While these alerts are certainly concerning, chances are your computer isn’t actually under attack—at least not just yet. But that doesn’t mean you should ignore the alerts, either.
Why WinRing0 Started Triggering Windows Defender
The problem with random alerts like this is that it isn’t always clear what the threat is or why Defender sees it as a threat. In the case of WinRing0, it’s because an exploit in this piece of kernel-level software was previously linked to a dangerous piece of malware (as BleepingComputer reported).
Having kernel-level access essentially means WinRing0 has access to your operating system’s core components and resources. That’s a dangerous gamble if the software becomes exploitable somehow, and it seems like WinRing0 has become a major driving force in how the SteelFox malware operates and gains access to infected systems.
Even if you’ve worked hard to boost your Windows PC’s security with Defender, malware like SteelFox could use the exploit found in WinRing0 to get past your safeguards.
Speaking of Windows Defender…
Is Windows Defender All the Antivirus Protection You Need?
Do you really need to download extra antivirus software if you have Windows Defender installed?
The other big problem with software like WinRing0 is that it tends to find its way into many different pieces of software. Such is the case with this latest Windows Defender alert, which The Verge reports is part of several widely used PC fan control applications. That includes Fan Control, which we covered a few years ago.
Windows Defender also appears to trigger alerts if you have other third-party monitoring software installed, including Libre Hardware Monitor, MSI Afterburner, SteelSeries Engine, Razer Synapse, OmenMon, and more.
This Shouldn’t Be a Surprise
The overall effect this will have on monitoring software like Afterburner and Fan Control is already clear. Unless Microsoft comes up with some way for these applications to access those low-level permissions in the future, you’ll be taking a massive security risk by installing and using any of them.
However, this move isn’t wholly unexpected. Last year’s massive CrowdStrike outage was terrible for many companies, including several healthcare-oriented businesses. Since that outage, Microsoft has been under a lot of pressure to close security loopholes that shouldn’t exist, like the one that WinRing0 uses to access kernel-level permissions.
It is unclear why it has taken Microsoft so long to address WinRing0. However, this doesn’t mean the pieces of software that utilize it are entirely useless. You can still use them if you wish. However, you could very well be putting your system at risk by doing so.
Unfortunately, there is a solution, but it’s unlikely to happen. The exploit found in WinRing0 has already been patched, according to comments on GitHub. However, getting that version approved and signed by Microsoft is unlikely, as the open-source community behind it doesn’t believe they could afford to get Microsoft to sign the newest version. And without Microsoft’s signature, you wouldn’t be able to install it on your Windows system anyway.
The only other alternative would be for each of these app developers to create their own software to access kernel-level permissions. But that’s a costly endeavor many of them can’t afford. Even if they did, it would likely lead to additional costs being pushed to the users of their software through software purchases.
If you use any of the monitoring software mentioned above, or if you’ve noticed Windows Defender alerting you to WinRing0 on your system, it’s likely not anything to worry about at the moment. However, it’s always better to play it safe, especially when it comes to software with kernel-level access like this.
