Microsoft Defender ATP now scans Windows 10 PC firmware for hardware rootkit attacks

Microsoft has been building firmware-level defenses into Windows 10 Secured-Core PCs for the enterprise, and now it’s bringing similar capabilities to its enterprise antivirus software, Microsoft Defender Advanced Threat Protection (ATP).

Secured-core PCs include a handful of Windows 10 PCs, including the Surface Pro X, HP Elite Dragonfly, Dell Latitude 7400, and fourth-generation Lenovo ThinkPad X1 Yoga. 

One of the key hardware-level protections these offer is kernel Direct Memory Access (DMA) protection, which can mitigate hands-on attacks that exploit, for example, the Thunderbolt interface to steal data from memory.   

Others include Trusted Platform Module (TPM), virtualization-based security, Windows Defender System guard, hypervisor-protected code integrity (HVCI), and tools to block unverified code execution. 

This breed of PCs are aimed at organizations in the sights of state-backed hackers, such as the Russian group, Fancy Bear, and some recent strains of ransomware.  

The new Unified Extensible Firmware Interface (UEFI) scanner in Windows Defender ATP scans the interface between the operating system and firmware, making a security feature that was previously exclusive to Secured-Core Windows 10 PCs is now available more broadly. 

The scanner should detect when a rootkit or other malware tampers with code used to boot a PC by employing information from motherboard manufacturers.  

“The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside the firmware filesystem and perform security assessment,” the Microsoft Defender ATP team says in a blogpost. 

“It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.”

As Microsoft explains, the UEFI scanner can help spot attacks that exploit machines where secure boot is disabled or the motherboard chipset is misconfigured.

By altering the firmware or UEFI drivers, attackers can do bad things like disabling antivirus, all below the visibility of traditional antivirus and the operating system. 

The UEFI scanner runs an analysis on the firmware it gets from the Serial Peripheral Interface (SPI) flash storage, which isn’t an easy task given that the firmware isn’t accessible from the main memory of a machine. 

“By obtaining the firmware, the scanner is able to parse the firmware, enabling Microsoft Defender ATP to inspect firmware content at runtime,” Microsoft says. 

Source link

Recent articles

What’s New on Netflix UK: July 8th, 2020

Stateless is now available to stream on Netflix UKA quiet Wednesday on Netflix UK with three 3 additions to the library. Of the...

Save time at the command line with HTTPie instead of curl

Ah, curl. While widely-loved and wildly powerful, its ergonomics leave something to be desired. Although it should not replace curl in your automation,...

Creditor payment scheme allows Blue Air to rebuild network | News

Romanian budget airline Blue Air has entered a financial restructuring process to protect the company from creditors and enable it to restart routes. Blue...

1990 FIFA World Cup™ – News – A magical night in Rome

​Matthaus and Voller were West Germany's first-choice penalty-takers Brehme found himself under a 700-something-kilogram pile-up! An emperor reigned in Rome for...

Disney World Draws Excitement and Incredulity as Reopening Nears

Walt Disney World in Orlando, Fla., will reopen on Saturday, and Disney has been posting marketing videos online to highlight the safety procedures...

Leave a reply

Please enter your comment!
Please enter your name here