June 20, 2020

UEFI Scan Engine in Microsoft Defender ATP

Microsoft has expanded Microsoft Defender Advanced Threat Protection (ATP) protection capabilities with the addition of a Unified Extensible Firmware Interface (UEFI) scanner.

Despite hardware and firmware-level attacks rising in frequency over the past couple of years, Microsoft has decided to expand the functionality of its security solution to ensure it can keep users safe.

Two years ago, Windows Defender Device Guard was introduced by the tech giant to avoid firmware-level attacks by guaranteeing safe booting via hypervisor-level certification and Stable Launch (or Dynamic Root of Trust (DRTM)), two features allowed by default in Secured-core PCs.

Through incorporating a UEFI search engine in Microsoft Defender ATP, which allows firmware scanning widely available, the company is now seeking to enhance those protections.

The scanner is included in the built-in antivirus solution on Windows 10 using insight from partner chipset manufacturers and allows Microsoft Defender ATP to scan the firmware filesystem and perform security assessments.

A replacement for legacy BIOS, UEFI is not normally accessible from the OS level and it is difficult to detect any implants within it. However, if UEFI is properly configured and secure boot is allowed, then the firmware is reasonably secure, says Microsoft. Otherwise attackers might change UEFI drivers or tamper with the firmware, ultimately taking device control.

The UEFI scanner interacts with the motherboard chipset at startup to read the firmware filesystem, explains Microsoft, which allows inspection of the firmware content at runtime.

The solution performs dynamic analysis using components such as a UEFI anti-rootkit (which accesses the firmware through Serial Peripheral Interface (SPI), a full filesystem scanner (analyses the firmware content), and a detection engine (to identify exploits and malicious behaviors).

“Firmware testing is coordinated by runtime events such as irregular driver loading, and periodic system scans. In Windows Security, detections are reported under Protection history, “explains Microsoft.

These detections will also be available to Microsoft Defender ATP customers in the Microsoft Defender Security Center, allowing for quick investigation and response to firmware attacks and suspicious firmware-level activities.

Microsoft Defender ATP is getting even more visibility into firmware-level threats with its UEFI scanner, where attackers have increasingly focused their efforts on. […] This visibility level is also available in Microsoft Threat Protection (MTP), which provides an even wider cross-domain defense that coordinates protection across endpoints, identities, emails and apps, “concludes Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *