Self Defense false positive - "gdrv64.sys"

Viruses and worms
21

Hi guys, I forwarded it…

22

I think for me this started after the product update on 1st April.

I know this probably isn’t recommended but I did a System Restore on my PC to the end of March so that it was still running the previous update. I’ve had no issues since doing this and I’m trying to avoid updating it again until this has been fixed.

23

Hi guys,

this is not a false positive, gdrv.sys/gdrv64.sys of version 5.2.3790.1830 is blocked from load, as it has known vulnerability inside, which is already used to remove security software: https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/. Please update Gigabyte software to get fixed gdrv driver, they have fixed version already (with name gdrv2.sys). The name of blocked driver file can be different.

24

Thanks for the update.

Unfortunately, I am unable to find any updated version on Gigabyte website, other than the one installed on my PC, and that one still has a problem with this file.

The last version description is as follows:

APP Center (Note) Support Intel 300/200/100/X299/C246 series and AMD TRX40/AM4/X399 series motherboards (support may vary by model). (Note) Please install Microsoft .NET Framework 4.5 first before install APP Center utility. Version :B19.1021.1 OS : Windows 10 64bit , Windows 7 32bit , Windows 7 64bit
25

Hi RoyC, can you please attach your GDRV.SYS driver, which is blocked? It should be present in C:\Windows\gdrv.sys. This must be some remnant of a previous installation. I have installed APP center B19.1021.1 and there is no vulnerable driver…

26

OK, I did as suggested, and everything seems to work properly. At least, for now.
But I have to say that I am quite unhappy with your approach. App that is installed on many computers and you simply decide to block it. Nothing else. No information why, no suggested solution, no possibility to keep the app running. Especially when the problem is vulnerability. It is not malware.
This is not what I have been paying for all those years.
Next time inform your users better before you kill their apps, that they use on every day basis.
Thanks

27

Hi Tronmkiheda, thank you for your opinion. Frankly, I didn’t expect so many of our users to have such obsolete driver. The certificate used to sign this driver is revoked already, so it shouldn’t be loadable at all. But Windows still allow to load this (not on systems with active EFI secure boot).

28

hi Spec8472~

I am running an very old PC mainboard so that there is no way to get any support/patch from GigaByte.
And I do need this tool to monitor my PC healthy information.

Is it possible to release a Avast patch to let user decide to block this gdrv.sys or not?
Since it’s vulnerability , I will take the risks.

gdrv.sys version in my PC: 5.00.2195.1620

Thanks.

29

It seems a bit strange to possibly compromise your system to allow something to monitor it’s health?

30

well~

GigaByte provide a tiny tool called [EasyTune] , to monitor the CPU temperature or setup the CPU fan speed.
And this tool need gdrv.sys…

F.Y.I.

31

You might find one of these helpful and eliminate the need for using what’s no longer safe.
https://www.tech21century.com/best-cpu-temperature-monitor/

32

@Spec8472

Please find the file attached to this post. Please note I had to change the extension of the file to .txt as .sys files are allowed to be uploaded.

Thank you for your reply and support.

33

I also use EasyTune to overclock the CPU/RAM…

for end user point , some workable tool crash after Avast upgrading…

34

This thread comes to show how tricky it can be when an av-solution decides to mingle with essential system files or files that are essential for proper driver functioning with a particular OS. The appropriate party should be the developer in full cooperation with that particular Operating System team, e.g. a patch to tackle the problems/flaws should be issued.

Whenever those parties involved are not helping out, I can imagine an av-solution steps in with all the consequences we see now.

polonus

35

Hi guys,

latest Gigabyte utilities from https://www.gigabyte.com/Support/Utility do not contain the vulnerable driver. We are going to release a patch to suspend this blockage until more user configurable system is implemented (like with exceptions support).

36

Thank you, much appreciated!

37

Yep same boat here. I tried the newer versions but they don’t work with older gigabyte mobos… I don’t know what to do.

38

To update:

Uninstalled App Centre

Installed again, downloading the new version from the vendor’s website.

The app center now runs smoothly without any notification from Avast.

Thank you for your support. Much appreciated.

39

At last news, Gigabyte utilities can now be launched, i tried, it works and there’s no more blocking messages from Avast.

Thank you.

40

still waiting for the Avast patch.

new version tool from https://www.gigabyte.com/Support/Utility , is not compatible with old main-board.

or please tell me how to rollback the Avast to previous version temporary?