v153: inpoutx64.sys is getting blocked by Riot Vanguard #1694
Comments
|
I can confirm receiving the same Warning message from Riot Vanguard anticheat after updating to v153.
|
|
There isn't a lot of kernel drivers available. Most projects you'll see on Github with kernel level functions will use the same 2-3, probably like OpenRGB. I know this one can cause problems, hence why I made it optional. Using it enables some functionality, but it is not mandatory. |
|
I can confirm I am getting this as well. |
|
I get this popup every time i open my pc how can i uninstall fancontrol? |
I can understand that, but having a kernel driver that is insecure and prone to exploitation can pose a risk, that i personally would not take even if it means loss of functionality. But i can see the appeal. In the latest release notes, you state that you enabled it by default. May i suggest to revert this change and make it optional by default? Also, The driver should only be installed when you enable the inpOut option and unload it when you untick the option. For anyone is looking to remove the driver (and stop Vanguard from complaining), Untick Inpout support in fancontrol and delete the following File followed by a reboot: |
Where is the option to unload I don't see it. |
|
Sensor settings, top right menu. I wasn't sure about the default for the setting. It's always a compromise. In hindsight I think disabled by default is the right call. Will switch it. |
This has worked for me. Thank you. |
Vanguard is still giving me the warning after removing the file from the Drivers directory. Is there some kind of cleanup step I'm missing? |
This is a terrible choice and should be frowned upon. Not only is this reckless, it is also extremely irresponsible to not let the users know beforehand, especially that you had the knowledge for it. Using a known vulnerable driver can easily allow third-parties to interact with system-level stuff from userland. If you do not have a proper workaround for it, don't just pick up a driver that you found on the side of the road and expect it to be trustworthy. As a security researcher, I had to immediately go into IR mode and track down whatever was causing the driver to load. I cannot believe I had to find out by Defender warning me and me going out of my way to search for this specific driver on an issue page buried on GitHub. For those that are concerned, Defender also has the driver listed in the vulnerable driver block list. Deleting the driver and restarting should now result in Defender blocking the driver from loading if you have vulnerable driver block list enabled. |
|
@Still34 The driver itself (InpOutx64) was part of LHM for a long time, which is used as a backend. However it had basically no use for FanControl, so I turned if off by reflection since the beginning. Recently they (LHM repo) added some new feature for gigabyte 2nd IO chip, which uses that driver. Thus I added a checkbox to toggle on/off the deactivation I had by default before, which allows the new feature to work. When I said "can cause problem", I meant being blocked by various anti-cheats. I don't know the exact security threat being referenced here. If you got a link or something, I could add a little warning symbol next to the option and link it. |
|
Sure, the driver is in the list of known vulnerable drivers, which allows privileged users to access kernel-land. You can find a list of them here. Alternatively, see Defender's recommended block list. |
|
@Still34 I guess the microsoft one seems more legit, but it kinda doesn't tell what the threat is, just that it is recommended to be blocked. |
As I've said, it allows for privileged users to gain control of the kernel driver and load in their own and or worse. The most simple way for you to test this is through something like KDU, which also supports the inpoutx64 driver. |
|
@Still34 goal is to inform the average user, hence why I'm looking for a legit looking single link that explains the threat. I guess I could also simply show a tooltip on the warning icon with "This driver has known vulnerability, use at your own risks". |
|
@Rem0o, The link i posted when i opened the issue, is a good start https://starkeblog.com/windows/kernel/driver/2021/05/15/inpoutx64.sys-windows-driver-analysis.html (Analysis by a security expert) Also, Article from syxsense: https://www.syxsense.com/securityarticles/drivers_&_hardware/syx-1002-11758.html (explains the issue) |
|
Getting this issue with V157 of FanController, must be new as I'm a Riot/Valorant addict for years, and FanController for almost a year. Completely confused and saw this thread. |
|
How to remove InpOut64x from your machine: Disable in FanControl, top right 3 dots menu, Sensor Settings, then uncheck InpOut Delete Registry Key:
reboot, then delete the driver from Windows\System32\drivers\inpout64x.sys |
|
V175 still the problem. |
Describe the bug
By updating to 153, i got a notification by Riot Vanguard, that it blocked the loading of inpoutx64.sys:
Vanguard seems to block this driver because it is prone to privilege escalation vulnerability. This is effectively the same issue happening with OpenRGB, but its developer is refusing to do anything about it.
More info on the vulnerability here
I unticked inpout in the settings, but maybe you should reconsider using this driver.
The text was updated successfully, but these errors were encountered: