Driver updates and vulnerable_driver_dropped_WinRing0.sys

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Driver updates and vulnerable_driver_dropped_WinRing0.sys

L2 Linker


over the last couple of days we have seen a lot of behavioural alerts with  svulnerable_driver_dropped_WinRing0.sys preventing HP and Lenovo signed drivers being updated. Obviously these are false positives, as WF and VT confirms-

Before I open a ticket, does anybody see similar behaviour?


Kind Regards



L5 Sessionator

Hi @MartinPfeil ,


this rule was brought in with content update 650. This is a behavioural threat event and has nothing to do with wildfire verdict being malware/benign. Rather, it is triggered because the Winring.0.sys is listed as a vulnerable driver software used by multiple vendors. The vendors have brought out new patches into their driver softwares and in cases of endpoints which have the outdated driver, and are dropped, Cortex detects and prevents the same.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!