Microsoft has always had somewhat of a security by obscurity philosophy. What bothers me is that I see a ton of posts about this in where people who largely don’t know what a kernel driver is are all giving the advise that it’s just defender being defender and that if you aren’t pirating software you are safe etc. For example I just read over on OpenRGB
”I’ve been a PC tech for over 30 years (including employment for 17 years by two of the biggest investment banks in the world), I knew about the vulnerability before installing FanControl.
It didn’t concern me then, it doesn’t concern me now. If you’re not a shady person that does shady things, you’ll be just fine. I just Whitelisted it, no more pop-ups.”
I’m not going to name and shame but as someone who has been a quality assurance professional for everything from small software firms in a niche industry to companies that rhyme with Herkshire Bathaway, I would never tell someone to just white list a vulnerability and move on. The vulnerability is there, and the end user needs to understand the potential attack vectors for someone to exploit it. If they aren’t confident in that, they should let defender do it’s thing and find an alternative.
I admit that I don’t know much about “potential attack vectors.”
- Perhaps a firewall to keep out intrusions isn’t enough.
- Perhaps not downloading anything unless it comes from a trusted source isn’t enough.
Perhaps whitelisting any threat is a bad thing, regardless of the two things above.
Some gamers disable protection they shouldn’t - like Memory Integrity (HVCI) - in the search for max performance. I believe that’s a bit extreme. But ultimately, it’s all about managing risk.
So I ask you, as someone who knows more about this than I do…Is whitelisting WinRing0 a really bad idea, even if I’m careful not to expose my system by being stupid? Maybe I’m naive to think I’m being careful enough?
Well, I like transparency rather than hiding information or giving misleading alerts, which is why I inform users about the options they have.
The driver block itself is fine - after all, we agreed to it in one of the Windows settings, specifically the Microsoft Vulnerable Driver Blocklist, and I have no intention of disabling it.
That said, Microsoft shouldn’t suggest that something is a virus if it isn’t.
In a way, a Trojan is worse than a virus. It’s a backdoor that allows an attacker to take control of your PC more or less discreetly, steal your data, install ransomware, install real viruses, enlist your PC in denial-of-service attack bot networks or spam. Pure bliss…