By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Microsoft has announced that its Microsoft Defender Advanced Threat Protection (ATP) enterprise endpoint security platform is now capable of detecting and protecting customers from Unified Extensible Firmware Interface (UEFI) malware with the help of a new UEFI scanner. This built-in protection against firmware attacks is already included Windows 10 Secured-core PCs since October 2019 and it protects the users of such devices against attackers who abuse security flaws affecting both firmware and drivers. "Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs," Microsoft said. One threat actor known for abusing firmware vulnerabilities is the Russian-backed APT28 threat group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a UEFI rootkit known as LoJax as part of some of its 2018 operations. The new UEFI scanner, built with insights from partner chipset manufacturers, is a component of the Windows 10 built-in antivirus solution capable of performing security assessments after scanning inside the firmware filesystem. Microsoft Defender ATP's UEFI scanner works by reading "the firmware file system at runtime by interacting with the motherboard chipset" and it gets triggered automatically through periodic scans or on runtime events such as suspicious driver loads. To spot firmware malicious code, the UEFI scanner uses multiple components including a UEFI anti-rootkit which scans the firmware through the Serial Peripheral Interface (SPI) flash, a full filesystem scanner for analyzing content inside the firmware, as well as a dedicated detection engine for identifying firmware exploits and malicious behavior... read more