Windows Defender now defends firmware filesystem

Protection feature against unwanted apps is now available to all Windows 10 users
Microsoft has been building firmware-level defenses into Windows 10 Secured-Core PCs for the enterprise, and now it’s bringing similar capabilities to its enterprise antivirus software, Microsoft Defender Advanced Threat Protection (ATP).

Others include Trusted Platform Module (TPM), virtualization-based security, Windows Defender System guard, hypervisor-protected code integrity (HVCI), and tools to block unverified code execution.

This breed of PCs are aimed at organizations in the sights of state-backed hackers, such as the Russian group, Fancy Bear, and some recent strains of ransomware.

The new Unified Extensible Firmware Interface (UEFI) scanner in Windows Defender ATP scans the interface between the operating system and firmware, making a security feature that was previously exclusive to Secured-Core Windows 10 PCs is now available more broadly.

The scanner should detect when a rootkit or other malware tampers with code used to boot a PC by employing information from motherboard manufacturers.

“The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside the firmware filesystem and perform security assessment,” .

“It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.”

As Microsoft explains, the UEFI scanner can help spot attacks that exploit machines where secure boot is disabled or the motherboard chipset is misconfigured.

By altering the firmware or UEFI drivers, attackers can do bad things like disabling antivirus, all below the visibility of traditional antivirus and the operating system.

The UEFI scanner runs an analysis on the firmware it gets from the Serial Peripheral Interface (SPI) flash storage, which isn’t an easy task given that the firmware isn’t accessible from the main memory of a machine.

“By obtaining the firmware, the scanner is able to parse the firmware, enabling Microsoft Defender ATP to inspect firmware content at runtime,”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s