Self Defense false positive - "gdrv64.sys"

[Conn0rG]

I'm also having this issue too.

Cannot seem to find any fix for this so really hoping Avast can get this sorted soon.

[HuJohner]

I had this problem too but since today it seems to have been resolved. Can anyone else confirm?

EDIT: It is back don't know why it didn't happen for a bit.

[netimagus]

I had this problem too but since today it seems to have been resolved. Can anyone else confirm?

The problem is still here for me. I forced avast updating to be sure i've the last version. I tried to reinstall Gigabyte App Center utility and i've still messages ang blockage when i launch the utility.

My avast versions are :
- Viral database : 12 april 2020 at 19:32 (ver. 200411-0)
- Antivirus application : 1 april 2020 9:55 (ver 20.2.2401 - version 20.2.5130.568)

[Tronmkiheda@seznam.cz]

Good morning,

same problem here.
The file is essential to run "Gigabyte easy tune" application, that runs on background. It gets shut down during start of the computer and it is not possible to start it manually.
Please, solve it. It is obvious that the same problem will have everybody that runs Gigabyte based system and has this app installed.
Thank you.

[RoyC]

I am having the same problem.

Is there any solution yet?

[Asyn]

Hi guys, I forwarded it...

[Conn0rG]

I think for me this started after the product update on 1st April.

I know this probably isn't recommended but I did a System Restore on my PC to the end of March so that it was still running the previous update. I've had no issues since doing this and I'm trying to avoid updating it again until this has been fixed.

[Spec8472]

Hi guys,

this is not a false positive, gdrv.sys/gdrv64.sys of version 5.2.3790.1830 is blocked from load, as it has known vulnerability inside, which is already used to remove security software: https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/. Please update Gigabyte software to get fixed gdrv driver, they have fixed version already (with name gdrv2.sys). The name of blocked driver file can be different.

[RoyC]

Thanks for the update.

Unfortunately, I am unable to find any updated version on Gigabyte website, other than the one installed on my PC, and that one still has a problem with this file.

The last version description is as follows:

APP Center
(Note) Support Intel 300/200/100/X299/C246 series and AMD TRX40/AM4/X399 series motherboards (support may vary by model).
(Note) Please install Microsoft .NET Framework 4.5 first before install APP Center utility.
Version :B19.1021.1
OS : Windows 10 64bit , Windows 7 32bit , Windows 7 64bit

[Spec8472]

Hi RoyC, can you please attach your GDRV.SYS driver, which is blocked? It should be present in C:\Windows\gdrv.sys. This must be some remnant of a previous installation. I have installed APP center B19.1021.1 and there is no vulnerable driver...

Thanks for the update.

Unfortunately, I am unable to find any updated version on Gigabyte website, other than the one installed on my PC, and that one still has a problem with this file.

The last version description is as follows:

APP Center
(Note) Support Intel 300/200/100/X299/C246 series and AMD TRX40/AM4/X399 series motherboards (support may vary by model).
(Note) Please install Microsoft .NET Framework 4.5 first before install APP Center utility.
Version :B19.1021.1
OS : Windows 10 64bit , Windows 7 32bit , Windows 7 64bit

[Tronmkiheda@seznam.cz]

OK, I did as suggested, and everything seems to work properly. At least, for now.
But I have to say that I am quite unhappy with your approach. App that is installed on many computers and you simply decide to block it. Nothing else. No information why, no suggested solution, no possibility to keep the app running. Especially when the problem is vulnerability. It is not malware.
This is not what I have been paying for all those years.
Next time inform your users better before you kill their apps, that they use on every day basis.
Thanks

[Spec8472]

Hi Tronmkiheda, thank you for your opinion. Frankly, I didn't expect so many of our users to have such obsolete driver. The certificate used to sign this driver is revoked already, so it shouldn't be loadable at all. But Windows still allow to load this (not on systems with active EFI secure boot).

[Scotty33]

hi Spec8472~

I am running an very old PC mainboard so that there is no way to get any support/patch from GigaByte.
And I do need this tool to monitor my PC healthy information.

Is it possible to release a Avast patch to let user decide to block this gdrv.sys or not?
Since it's vulnerability , I will take the risks.

gdrv.sys version in my PC: 5.00.2195.1620

Thanks.

[bob3160]

hi Spec8472~

I am running an very old PC mainboard so that there is no way to get any support/patch from GigaByte.
And I do need this tool to monitor my PC healthy information.

Is it possible to release a Avast patch to let user decide to block this gdrv.sys or not?
Since it's vulnerability , I will take the risks.

gdrv.sys version in my PC: 5.00.2195.1620

Thanks.

It seems a bit strange to possibly compromise your system to allow something to monitor it's health?

[Scotty33]

hi Spec8472~

I am running an very old PC mainboard so that there is no way to get any support/patch from GigaByte.
And I do need this tool to monitor my PC healthy information.

Is it possible to release a Avast patch to let user decide to block this gdrv.sys or not?
Since it's vulnerability , I will take the risks.

gdrv.sys version in my PC: 5.00.2195.1620

Thanks.

It seems a bit strange to possibly compromise your system to allow something to monitor it's health?

well~

GigaByte provide a tiny tool called [EasyTune] , to monitor the CPU temperature or setup the CPU fan speed.
And this tool need gdrv.sys......

F.Y.I.