Microsoft Defender ATP now scans Windows 10 PC firmware for rootkit attacks

GitHub met en garde les développeurs Java contre les nouveaux logiciels malveillants qui empoisonnent les projets NetBeans Cybersecurity

Microsoft has set up firmware defenses in Windows 10 Secured-Core PCs for the enterprise, and is now bringing similar capabilities to its enterprise antivirus software, Microsoft Defender Advanced Threat Protection (ATP).

Secure PCs include a handful of Windows 10 PCs, including the Surface Pro X, HP Elite Dragonfly, Dell Latitude 7400, and the fourth generation of Lenovo ThinkPad X1 Yoga.

One of the main hardware-level protections they provide is DMA (Direct Memory Access) kernel protection, which can mitigate[practicalattackswhichexploitforexampletheThunderboltinterfacetostealdatainmemoryOthersincludetheTrustedPlatformModule(TPM)virtualization-basedsecurityWindowsDefenderSystemGuardhypervisor-protectedcodeintegrity(HVCI)andtoolstoblockunverifiedcodeexecution[lesattaquespratiquesquiexploitentparexemplel’interfaceThunderboltpourvolerdesdonnéesenmémoireParmilesautrescitonsleTrustedPlatformModule(TPM)lasécuritébaséesurlavirtualisationleWindowsDefenderSystemGuardl’hypervisor-protectedcodeintegrity(HVCI)etlesoutilspermettantdebloquerl’exécutiondecodenonvérifié

Analysis of the interface between the operating system and the firmware

This line of PCs is aimed at organizations that are in the crosshairs of state-supported hackers, such as the Russian group Fancy Bear, and some recent strains of ransomware.

Windows Defender ATP’s new UEFI (Unified Extensible Firmware Interface) scanner analyzes the interface between the operating system and the firmware, which makes a security function that was previously exclusive to secure Windows 10 PCs more widely available.

The scanner should detect if a rootkit or other malware is altering the code used to start a PC using information from the motherboard manufacturers. “The UEFI scanner is a new component of Windows 10’s integrated antivirus solution and gives Microsoft Defender ATP the unique ability to scan inside the firmware file system and perform a security assessment,” says l Microsoft Defender ATP team in a blog post. “It integrates the information provided by our chip manufacturing partners and extends the comprehensive protection of terminals provided by Microsoft Defender ATP”.

Firmware content inspection

As Microsoft explains, the UEFI scanner can help spot attacks that exploit machines that have secure boot disabled or whose motherboard chipset is misconfigured.

By modifying the UEFI firmware or drivers, attackers can take several actions – such as disabling the antivirus – that go under the radar of a traditional antivirus and operating system.

The UEFI scanner analyzes the firmware it receives from Serial Peripheral Interface (SPI) flash memory, which is not an easy task since the firmware is not accessible from the main memory of a machine. “By obtaining the firmware, the scanner is able to analyze the firmware, which allows Microsoft Defender ATP to inspect the contents of the firmware at run time,” said Microsoft.



Rate article