Jump to content

Microsoft Defender reporting pulsewayhardware.sys as malware

BartB
in Bugs

Featured Replies

Posted

Several times now, Microsoft Defender for Endpoint has identified the following file as malware and has quaratined it:
Filename:
pulsewayhardware.sys

Hashes:
Hash SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

Hash SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

Threat:
Winring0

Defender engine version
1.1.25050.6

Defender Mocamp version
4.18.25040.2

VirusTotal link:
https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

Detection

VirusTotal detection ratio

2/72

Malware detected

VulnerableDriver:WinNT/Winring0

Object details

File size

14.54 KB

Is PE

true

Issuer

GlobalSign ObjectSign CA

Signer

Noriyuki MIYAZAKI

PE metadata

Original name

WinRing0.sys

Company

OpenLibSys.org

Product

WinRing0

Description

WinRing0

File prevalence

Organization devices5

Organization cloud apps0

Worldwide devices10k+

Worldwide observed devices

Time

First seen

Mar 3, 2013 6:00:43 AM

Last seen

Jun 13, 2025 5:47:56 AM

Is this an actual Pulseway file and has anyone else experienced this on any of their agents? What other info can I provide?

And before anyone asks, I only deploy agents from the SaaS Pulseway server instance.

Thanks,

Bart B.

    •
    • Administrators

    Hey @BartB - Thanks for reaching out! We are actively addressing this. Our development team is aware of the associated risks, and a dedicated development effort is underway to completely remove and replace the WinRing0 dependency in a future release. This transition is being prioritized to align with modern security best practices, including Microsoft's Vulnerable Driver Blocklist.

    In the meantime, please be assured Pulseway runs under a service account and does not expose direct user-accessible interfaces to this driver.

    If you have any other questions, let me know😊

    • Author

    Hello @Mariale_Pulseway , thank you for your reply.

    What do you recommend I do in the meantime, as Defender keeps detecting the files as malicious and quarantining them? Shoudl I add the "pulsewayhardware.sys" file to eceptions so it stops being flagged? What is the risk asoociated with leaving othe file in place? Does any Pulseway agent functionality break if the file is removed?

    Thanks!

    Create an account or sign in to comment

    Go to topic listing

    Similar Content