Jump to content

bradwillman

Members
  • Joined

  • Last visited

Reputation Activity

  1. Upvote
    Several times now, Microsoft Defender for Endpoint has identified the following file as malware and has quaratined it:
    Filename:
    pulsewayhardware.sys
    Hashes:
    Hash SHA1
    d25340ae8e92a6d29f599fef426a2bc1b5217299
    Hash SHA256
    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
    Threat:
    Winring0
    Defender engine version
    1.1.25050.6
    Defender Mocamp version
    4.18.25040.2
    VirusTotal link:
    https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
    Detection
    VirusTotal detection ratio
    2/72
    Malware detected
    VulnerableDriver:WinNT/Winring0
    Object details
    File size
    14.54 KB
    Is PE
    true
    Issuer
    GlobalSign ObjectSign CA
    Signer
    Noriyuki MIYAZAKI
    PE metadata
    Original name
    WinRing0.sys
    Company
    OpenLibSys.org
    Product
    WinRing0
    Description
    WinRing0
    File prevalence
    Organization devices5
    Organization cloud apps0
    Worldwide devices10k+
    Worldwide observed devices
    Time
    First seen
    Mar 3, 2013 6:00:43 AM
    Last seen
    Jun 13, 2025 5:47:56 AM

    Is this an actual Pulseway file and has anyone else experienced this on any of their agents? What other info can I provide?
    And before anyone asks, I only deploy agents from the SaaS Pulseway server instance.

    Thanks,
    Bart B.