Rem0o
FanControl tracked as virus by Windows Defender - HackTool:Win32/Winring0
If you are experiencing a crash Link the relevant/associated Windows EventViewer logs, and also FanControl's own log.txt.
The R0FanControl service failed to start due to the following error: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
Describe the bug Seems windows Defender is now tagging FanControl as a virus. Seems a not uncommon thing for antivirus tools
Is there a log.txt file next to FanControl.exe with recent date entries?
3/10/2025 10:33:32 PM: Try refresh failed. Retry count (6) exceeded. Sensor validation failed. 3/10/2025 10:37:49 PM: Try refresh failed. Retry count (6) exceeded. Sensor validation failed. 3/10/2025 10:41:31 PM: Try refresh failed. Retry count (6) exceeded. Sensor validation failed.
Relevant hardware specs and setup
Nvidia card. ASRock MB Not sure what else would help
Yup literally just experienced this. Just go to the windows security history and allow the false positive in the actions. Issue should stop.
Yup literally just experienced this. Just go to the windows security history and allow the false positive in the actions. Issue should stop.
not sure if I'm comfortable adding an exception until some sort of official response
Yesterday at 10pm CET it was working fine, this morning I started my PC at 7am CET and Defender is removing FanControl.sys because it thinks it's a HackTool:Win32/Winring0.
I tested with V176 and V215(latest version) and same thing happens
Yesterday at 10pm CET it was working fine, this morning I started my PC at 7am CET and Defender is removing FanControl.sys because it thinks it's a HackTool:Win32/Winring0.
was working fine for me earlier tonight, I just rebooted and it flagged it on boot 2:40 AM EST
Same here, i wonder if new update had some virus in it for some reason? Waiting for answer aswell.. Im working with this pc, so i wont use this software before can qurantee its safe
Same here, i wonder if new update had some virus in it for some reason? Waiting for answer aswell.. Im working with this pc, so i wont use this software before can qurantee its safe
I'm using the build from Dec 29, 2023, so if it's truly a virus(I doubt it), we are already infected for a long time.
The same with me (Win11, FS 207). Could it be that the file (FanControl.sys) has been manipulated? Or has the Defender algorithm changed?
I assume this software doesn't auto update right? Meaning windows could be tagging it as a false positive.
According to this Reddit thread: https://www.reddit.com/r/techsupport/comments/1j8jrs8/hack_tool_win32winring0/
In the last few hours, people have received a similar Windows defender notification for various hardware monitoring software, not just FanControl. So this seems to be a Defender update that now detects some component as malicious.
This is due to a vulnerability (or rather multiple ones) in the WinRing0 driver that is known for many years. All vendors were aware of this long ago but didn't perform the required (rather extensive) changes. Besides the need to significantly rewrite the kernel driver, application and interface between them, it also requires a new digital signature that's quite expensive for FOSS projects and can be issued only to a business (the signing needs to be done via MS HW/WHQL site). Microsoft was aware of this vulnerability and started tightening rules long ago. It also notified respective vendors about an upcoming full blocking of this driver. Initially it was planned to happen in 2024, then Jan'25, and now it seems they finally did it. There's no other way around other than rewriting the driver from scratch to be reliable, robust and secure. A lot of effort...
So its best to quarantine / remove it for now?
For now? More like forever and forget about it. There's very little chance the Rem0o can get his hands on the required digital signature. You should stop using FanControl, LibreHardwareMonitor, CapFrameX, ZenTimings and OpenRGB.
It's everyone's choice whether to ignore this, let me just say that the WinRing0 driver (or any other forks based on in) allows:
- Arbitrary read/write(!) access to the entire physical memory. So it can be used to read/write other processes space, change OS structures, kernel, anything.
- Arbitrary read/write(!) access to protected CPU registers or hardware resources.
- Doesn't check for caller tokens. So any application, even without admin elevation can use it.
- Has full open-sourced code, which makes a potential exploit even simpler.
So IMO, one might rather ask why did it MS take so long...
So its best to quarantine / remove it for now?
For now? More like forever and forget about it. There's very little chance the Rem0o can get his hands on the required digital signature. You should stop using FanControl, LibreHardwareMonitor, CapFrameX, ZenTimings and OpenRGB.
Getting a digital signature is the lesser problem. A much bigger task is to create a reliable driver. I know as I went thru this several years ago...
It's everyone's choice whether to ignore this, let me just say that the WinRing0 driver (or any other forks based on in) allows:
What would you recommend to use to control fans that's secure?
It's everyone's choice whether to ignore this, let me just say that the WinRing0 driver (or any other forks based on in) allows:
What would you recommend to use to control fans that's secure?
whatever your motherboard supplies
Yup literally just experienced this. Just go to the windows security history and allow the false positive in the actions. Issue should stop.
Thing is you can't just add an exception for FanControl's use of the driver. You have to add an exception for the "threat" HackTool:Win32/Winring0 as a whole which is not ideal. At least that's the case with Windows Defender.
As @malikm said, this is due to the kernel driver used via LibreHardwareMonitor. It was only a matter of time before Defender picked it up.
What's the definition version?
I'm running
Version: 1.423.343.0
Engine Version: 1.1.25010.7
Platform Version: 4.18.25010.11
And have yet to get it to trigger.
Yup literally just experienced this. Just go to the windows security history and allow the false positive in the actions. Issue should stop.
Thing is you can't just add an exception for FanControl's use of the driver. You have to add an exception for the "threat" HackTool:Win32/Winring0 as a whole which is not ideal. At least that's the case with Windows Defender.
So adding the FanControl folder as an exception allows this "threat"?
Yup literally just experienced this. Just go to the windows security history and allow the false positive in the actions. Issue should stop.
Thing is you can't just add an exception for FanControl's use of the driver. You have to add an exception for the "threat" HackTool:Win32/Winring0 as a whole which is not ideal. At least that's the case with Windows Defender.
So adding the FanControl folder as an exception allows this "threat"?
I tried doing that although I run the portable version so my experience may be different.
I tried excluding the process and the directory itself it then it started detecting files in the %temp% directory for the same thing.
@Rem0o I had it trigger with these versions:
Antivirus Version: 1.423.337.0 Engine Version: 1.1.25010.7 Antimalware Client Version: 4.18.25010.11
Yup literally just experienced this. Just go to the windows security history and allow the false positive in the actions. Issue should stop.
Thing is you can't just add an exception for FanControl's use of the driver. You have to add an exception for the "threat" HackTool:Win32/Winring0 as a whole which is not ideal. At least that's the case with Windows Defender.
So adding the FanControl folder as an exception allows this "threat"?
I tried doing that although I run the portable version so my experience may be different.
I tried excluding the process and the directory itself it then it started detecting files in the %temp% directory for the same thing.
So I made some tests. In Defender the allowed threats is empty. I added FanControl folder to the exclusions, FanControl works fine.
I run the Portable version too. I did a system restore that was a week ago. FanControl worked, did a Windows update(to update Defender), after restart FanControl.sys was removed. Added just the folder to the exclusions and unzipped the .sys file from my backup, started FanControl and it works.
Restarted my system multiple times and Fancontrol still works, although it removes 6 files from Temp folder on each boot..