Why Windows identifies random apps as threats

Some Windows PC owners woke up earlier this week to find their computers suddenly receiving spam messages from Windows Defender warning them about a new 'HackTool' called WinRing0. While these warnings are certainly concerning, chances are your computer isn't actually under attack—at least not yet. But that doesn't mean you should ignore the warnings.

Why WinRing0 started activating Windows Defender

The problem with random alerts like this is that it's not always clear what the threat is or why Defender considers it a threat. In the case of WinRing0, it's because an exploit in that kernel-level software has previously been linked to dangerous malware (as BleepingComputer reported).

Having kernel-level access essentially means that WinRing0 has access to core components and resources of the operating system. That's a dangerous gamble if the software can be exploited in some way, and it appears that WinRing0 has become the primary driver behind how the SteelFox malware operates and gains access to infected systems.

Even if you've taken the effort to harden your Windows PC's security with Defender, malware like SteelFox can still use the vulnerability found in WinRing0 to bypass your protections.

Another big problem with software like WinRing0 is that it tends to find its way into a lot of different software. That's the case with this latest Windows Defender warning, which The Verge reports is part of a number of widely used PC fan control apps, including Fan Control, which was mentioned a few years ago.

 

Windows Defender also seems to trigger the warning if you have other third-party monitoring software installed, including Libre Hardware Monitor, MSI Afterburner , SteelSeries Engine, Razer Synapse, OmenMon, etc.

This is not surprising.

The overall impact of this on monitoring software like Afterburner and Fan Control is clear. Unless Microsoft provides some way for these apps to access these low-level permissions in the future, you're taking a huge security risk by installing and using any of them.

The move isn't entirely unexpected, however. Last year's massive CrowdStrike breach had dire consequences for many companies, including some in the healthcare industry. Since then, Microsoft has been under a lot of pressure to close security holes that shouldn't exist, like the one WinRing0 used to gain kernel-level access.

It's unclear why it took Microsoft so long to address WinRing0. That doesn't mean that software that uses it is completely useless, though. You can still use it if you want. But you're likely putting your system at risk by doing so.

Unfortunately, there is a workaround, but it's unlikely to work. According to comments on GitHub, the vulnerability found in WinRing0 has been patched. However, getting it approved and signed by Microsoft is unlikely, as the open source community behind it doesn't believe they have the resources to get Microsoft to sign the latest version. And without Microsoft's signature, you won't be able to install it on your Windows system.

The only other alternative is for each of these application developers to create their own software to access kernel-level permissions. But that is an expensive endeavor that many of them cannot afford. Even if they did, it would likely result in additional costs for users of their software through software purchases.

If you use any of the monitoring software mentioned above, or if you notice Windows Defender warning you about WinRing0 on your system, then there's probably nothing to worry about at the moment. However, it's always better to be safe than sorry, especially when it comes to software with kernel-level access like this.