LibreHardwareMonitor.sys

Jonte_H · January 26, 2025, 11:49am

I am trying to allow one single file; <LibreHardwareMonitor.sys> to run, but is blocked by Norton.
Is there any way to get Norton to accept/ignore the file without turning of “Block vulnerable kernel drivers” thus making me more vulnerable? i just want that single file to run just like it did before the “UI revamp-update”.
I’ve tried different methods listed on the community, like exclude the folder in live search, unblocked & re-blocked kernel drivers etc…

MrA_Toulson · January 26, 2025, 12:13pm

Have problems all the time with email addresses that I’ve been receiving for decades without any problem, that’re now flagged as suspicious links or are blocked!

Gribouille342 · January 26, 2025, 1:51pm

Bonjour @Jonte_H

Avez-vous essayé la solution proposée par @bjm ici.
Le cas échéant, vous devriez contacter le support Norton depuis cette page
Ensuite sélectionnez “Norton for window or Mac” et cliquez sur “Get help” (situé complètement au bas de la page).
Dans la page qui s’affiche choisissez le canal de communication souhaité (par exemple par chat) en cliquant sur le bouton dédié.

bjm · January 26, 2025, 2:17pm

Hello @Jonte_H
Um, is this your LibreHardwareMonitor?
https://github.com/LibreHardwareMonitor/LibreHardwareMonitor

Developers: Unknown
Version: 0.9.4.0
Identified: 11/24/24
Few users
Hundreds of users in the Norton Community have used this file.
Mature
This file was released 2 months ago.
Trusted
Norton has given this file a trusted rating.
Downloaded from: https://objects.githubusercontent.com/github-production-release-asset-2e65be/99942769/0fef111b-f0d1-4e01-952d-e42d876ab923

File: LibreHardwareMonitor.exe
File size: 1.17 MB (1,221,632 bytes)
MD5 checksum: 051C9984712B4BB9B34D884503BD1887
SHA256 checksum: 05E6C7FC7887A1CED1E04602131034DCD9F42783ACF0957ACCC0D9877B1E85BE
Date/Time: 1/26/2025

VirusTotal report
https://www.virustotal.com/gui/file/05e6…1e85be

=====================================

What is WinRing0?

Vulnerable Drivers:
Drivers are small programs that allow the operating system to interact with hardware devices; if a driver has known vulnerabilities, attackers could potentially exploit them to gain unauthorized access or control.

AI
“WinRing0.sys” is a Windows driver that is considered vulnerable because it can be exploited by attackers to gain elevated privileges on a system, allowing them to access sensitive information or execute malicious code due to security flaws within the driver itself; often used by malware and crypto miners for privilege escalation.

Key points about WinRing0.sys:

Function:
This driver is designed to provide low-level hardware access, which can be useful for certain applications but also presents a significant security risk if not properly secured.

Vulnerability:
The primary concern with WinRing0.sys is that it has known vulnerabilities, particularly related to memory access, which can be exploited by attackers to gain kernel-level access and essentially control the system.

Exploitation:
Malware authors often target WinRing0.sys to elevate their privileges on a compromised system, allowing them to bypass security measures and execute malicious code with administrator-level permissions.

Associated CVE:
One well-known CVE associated with WinRing0.sys is CVE-2020-14979, which allows attackers to read and write to arbitrary memory locations on a system.

What to do if you see WinRing0.sys on your system:

Check legitimacy:
If you are not actively using a program that requires the WinRing0 driver for a legitimate purpose, it is best to remove it from your system as it is likely a sign of potential malware.

Update software:
Ensure that any software utilizing WinRing0 is updated to the latest version to mitigate known vulnerabilities.

Scan for malware:
Run a thorough scan of your system with a reliable antivirus program to detect and remove any potential malware associated with the WinRing0 driver.

Developers: Noriyuki MIYAZAKI
Version: 1.2.0.5
Identified: 1/26/25
Last Used: 1/26/25
Startup Item: Yes
Many users
Thousands of users in the Norton Community have used this file.
Mature
This file was released 5 years ago.
Trusted
Norton has given this file a trusted rating.

File: LibreHardwareMonitor.sys
File size: 14.2 KB (14,544 bytes)
MD5 checksum: 0C0195C48B6B8582FA6F6373032118DA
SHA256 checksum: 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Date/Time: 1/26/2025
VirusTotal report
https://www.virustotal.com/gui/file/11bd2c9f…160ee5

Caveat: I’m not familiar with LibreHardwareMonitor

bjm · January 26, 2025, 3:01pm

may be related:

bjm · January 26, 2025, 3:21pm

Hello @Jonte_H
fwiw ~ as test:

Caveat: I’m not familiar with LibreHardwareMonitor

Jonte_H · January 27, 2025, 11:42am

No @bjm , im just an user, not creator of the program.
I have already tried everything you showed in this post with no luck.
Everytime i turn on Block vulnerable kernel drivers again, Norton blocks/removes the file.
I just want to exclude this file from Norton, and this one only since i trust it.

bjm · January 27, 2025, 1:52pm

Hello @Jonte_H
Yes, I’ve tried with same results.
Yes, with Block vulnerable kernel drivers enabled, Norton blocks librehardwaremonitor.sys file loading.
I’ve tried with other Block vulnerable kernel drivers reports…with same results.
Sorry…

maybe, support knows a work-around

fwiw ~ this process [here] works for me to reach:
Norton support via Social Support | Chat | Phone [here]

Please let us know your progress

================================================

AI
Avast has a feature that allows it to “block vulnerable drivers,” meaning it actively identifies and prevents potentially exploitable drivers from loading onto your system, essentially protecting against attacks that might leverage outdated or compromised drivers to gain access to your computer.

Key points about Avast’s vulnerable driver blocking feature:

Function: This feature scans for drivers with known vulnerabilities and prevents them from loading into the operating system kernel memory.

User notification: When Avast detects a vulnerable driver, it will typically alert the user.

Access: To manage this setting, you can navigate to Avast’s settings menu, usually found under “General” or “Troubleshooting” depending on your Avast version.

Why is this important?

Security benefit:
Vulnerable drivers can be exploited by malware to gain elevated privileges on a system, so blocking them is a crucial security measure.

Protection against advanced attacks:
Cybercriminals often target vulnerable drivers in sophisticated attacks, making this feature a valuable defense against such threats.

Why is Avast so annoying with driver blocking
[…]
Avast employee - March 2023
The reason for exclusions not working is that they’re not implemented yet. The vulnerable driver blocking is a separate feature, not based on “regular” scans, so exclusions have to be implemented separately (plus a separate UI controls should be added).

It’s going to happen… but for now, you can simply disable the vulnerable driver blocking completely - in Troubleshooting, under Enable Self-Defense. (Since you’ll already have a popular vulnerable driver running, it doesn’t matter much if you exclude just that one or disable the feature completely - the door for malware is wide open anyway.)

Avast employee - March 2023
How exactly they are detected, I’m not sure - but it’s definitely not just a generic heuristics, it’s targeting specific drivers.
I’m told the WinRing driver (used by FanControl) is a popular driver that allows any non-privileged user arbitrary write access to hardware and physical memory. So this driver allows anybody to do… well, anything, including e.g. disabling the AV.
[…]
https://community.avast.com/t/why-is-avast-so-annoying-with-driver-blocking/771148

Avast team - November 2023
My name is Jan, and I’m with the Avast senior technical support team, I realize there’s been a delayed response to your query, and I apologize.

I see you have questions about the Avast vulnerable kernel driver detection, which I would like to clarify for you.

The detection dialogue comes from the Avast Premium Security Self-Defense module that protects the application installation from deactivation or uninstallation. It detected and blocked an exploitable driver in your system. It’s very unlikely this would be a false positive because this is usually a very accurate type of detection.

There isn’t any other workaround than disabling the “Block vulnerable kernel drivers” feature if you want to use the application despite our recommendations.
Open Avast Premium Security application and navigate → Menu → Settings → General → Troubleshooting → Enable Self-Defense → Block vulnerable kernel drivers.
However, it leaves the device unprotected and vulnerable.
[…]
https://github.com/winsiderss/systeminformer/issues/1908

bjm · January 27, 2025, 2:26pm

AI
When Norton “blocks vulnerable drivers,” it means that the security software has identified a driver on your computer that contains known security vulnerabilities, potentially allowing hackers to exploit your system, and is preventing that driver from loading to protect your computer; this is a security feature designed to safeguard against potential threats.

Key points about Norton blocking vulnerable drivers:

What is a vulnerable driver?:
A driver with outdated software that contains security gaps which attackers can use to gain access to your computer.

How Norton detects them:
Norton uses its threat database to identify known vulnerable drivers and flags them as potential risks.

What happens when a driver is blocked:
When a vulnerable driver is detected, Norton prevents it from loading on your system, which can sometimes lead to issues with specific applications that rely on that driver.

What to do if Norton blocks a driver:

Verify the issue:
If you suspect Norton is blocking a necessary driver, check if the driver is actually vulnerable by searching online for known security issues related to it.

Update the driver:
If the driver is outdated, try updating it to the latest version from the manufacturer’s website.

Add an exception (with caution):
If the driver is necessary and you are certain it is not vulnerable, you can add an exception in your Norton settings to allow it to load, but be cautious as this could potentially expose your system to risk.

=========================================

SoulAsylum · January 27, 2025, 2:49pm

@Jonte_H Are you by chance using this software package for X1 EVGA? Please try to download and install the updated release and see if its nailed as well, IF, this is the software you are needing.

Or is this something that is freeware from a website that doesn’t have good credentials? The CVE mentioned is more than 4 years old and should have already been patched. Github did have exploits posted there for this vulnerability.
https://nvd.nist.gov/vuln/detail/cve-2020-14979

SA

Jonte_H · January 28, 2025, 10:51am

No, I am using LibreHardwareMonitor - “LHM” for a Rainmeter skin, to get readings for CPU temp etc.

I did find a temporary solution for Norton to accept the file.

Turn off “Block vulnerable kernel drivers”
(if needed; Re-install the software and) Open “LHM” as admin and then close it again
Rightclick on <LibreHardwareMonitor.sys> and scan for virus
Turn on “Block vulnerable kernel drivers”

Now the file will be present & work, even after a reboot.
This may only work until you are doing changes to “LHM” and the .sys file may be altered? Only time will tell. But then you could try repeat the steps.

Jonte_H · February 11, 2025, 9:25am

Scratch that!

This fix only works until Norton is updating the virus database, then it breaks again and blocks the mentioned .sys file.

I guess i just have to roll the dice and get me some kernel-malware since Norton suddenly cant trust me to trust a file that we all have been trusting for over a decade.

LibreHardwareMonitor.sys

Announcements