Several times now, Microsoft Defender for Endpoint has identified the following file as malware and has quaratined it:
Filename:
pulsewayhardware.sys

Hashes:
Hash SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

Hash SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

Threat:
Winring0

Defender engine version
1.1.25050.6

Defender Mocamp version
4.18.25040.2

VirusTotal link:
https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

Detection

VirusTotal detection ratio

2/72

Malware detected

VulnerableDriver:WinNT/Winring0

Object details

File size

14.54 KB

Is PE

true

Issuer

GlobalSign ObjectSign CA

Signer

Noriyuki MIYAZAKI

PE metadata

Original name

WinRing0.sys

Company

OpenLibSys.org

Product

WinRing0

Description

WinRing0

File prevalence

Organization devices5

Organization cloud apps0

Worldwide devices10k+

Worldwide observed devices

Time

First seen

Mar 3, 2013 6:00:43 AM

Last seen

Jun 13, 2025 5:47:56 AM

Is this an actual Pulseway file and has anyone else experienced this on any of their agents? What other info can I provide?

And before anyone asks, I only deploy agents from the SaaS Pulseway server instance.

Thanks,

Bart B.

Hey @BartB - Thanks for reaching out! We are actively addressing this. Our development team is aware of the associated risks, and a dedicated development effort is underway to completely remove and replace the WinRing0 dependency in a future release. This transition is being prioritized to align with modern security best practices, including Microsoft's Vulnerable Driver Blocklist.

In the meantime, please be assured Pulseway runs under a service account and does not expose direct user-accessible interfaces to this driver.

If you have any other questions, let me know😊