topic Re: Driver updates and vulnerable_driver_dropped_WinRing0.sys in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/driver-updates-and-vulnerable-driver-dropped-winring0-sys/m-p/513235#M2740 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204243">@MartinPfeil</a>&nbsp;,</P> <P>&nbsp;</P> <P>this rule was brought in with content update 650. This is a behavioural threat event and has nothing to do with wildfire verdict being malware/benign. Rather, it is triggered because the Winring.0.sys is listed as a vulnerable driver software used by multiple vendors. The vendors have brought out new patches into their driver softwares and in cases of endpoints which have the outdated driver, and are dropped, Cortex detects and prevents the same.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 29 Aug 2022 08:42:28 GMT neelrohit 2022-08-29T08:42:28Z Driver updates and vulnerable_driver_dropped_WinRing0.sys https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/driver-updates-and-vulnerable-driver-dropped-winring0-sys/m-p/513230#M2739 <P>Hello,</P> <P>over the last couple of days we have seen a lot of behavioural alerts with&nbsp; s<SPAN>vulnerable_driver_dropped_WinRing0.sys</SPAN>&nbsp;preventing HP and Lenovo signed drivers being updated. Obviously these are false positives, as WF and VT confirms-</P> <P>Before I open a ticket, does anybody see similar behaviour?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>&nbsp;</P> Mon, 29 Aug 2022 08:14:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/driver-updates-and-vulnerable-driver-dropped-winring0-sys/m-p/513230#M2739 MartinPfeil 2022-08-29T08:14:02Z Re: Driver updates and vulnerable_driver_dropped_WinRing0.sys https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/driver-updates-and-vulnerable-driver-dropped-winring0-sys/m-p/513235#M2740 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204243">@MartinPfeil</a>&nbsp;,</P> <P>&nbsp;</P> <P>this rule was brought in with content update 650. This is a behavioural threat event and has nothing to do with wildfire verdict being malware/benign. Rather, it is triggered because the Winring.0.sys is listed as a vulnerable driver software used by multiple vendors. The vendors have brought out new patches into their driver softwares and in cases of endpoints which have the outdated driver, and are dropped, Cortex detects and prevents the same.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 29 Aug 2022 08:42:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/driver-updates-and-vulnerable-driver-dropped-winring0-sys/m-p/513235#M2740 neelrohit 2022-08-29T08:42:28Z