Windows 10 News and info | Forum
August 12, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft Defender ATP now detects Windows 10 UEFI malware  (Read 37 times)
Hero Member
Online Online

Gender: Male
Netherlands Netherlands

Posts: 6183

Beta tester Tech support dedicated 110%

WWW Email
« on: June 21, 2020, 07:07:39 PM »

Microsoft has announced that its Microsoft Defender Advanced Threat Protection (ATP) enterprise endpoint security platform is now capable of detecting and protecting customers from Unified Extensible Firmware Interface (UEFI) malware with the help of a new UEFI scanner. This built-in protection against firmware attacks is already included Windows 10 Secured-core PCs since October 2019 and it protects the users of such devices against attackers who abuse security flaws affecting both firmware and drivers. "Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs," Microsoft said. One threat actor known for abusing firmware vulnerabilities is the Russian-backed APT28 threat group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a UEFI rootkit known as LoJax as part of some of its 2018 operations. The new UEFI scanner, built with insights from partner chipset manufacturers, is a component of the Windows 10 built-in antivirus solution capable of performing security assessments after scanning inside the firmware filesystem.
Microsoft Defender ATP's UEFI scanner works by reading "the firmware file system at runtime by interacting with the motherboard chipset" and it gets triggered automatically through periodic scans or on runtime events such as suspicious driver loads.
To spot firmware malicious code, the UEFI scanner uses multiple components including a UEFI anti-rootkit which scans the firmware through the Serial Peripheral Interface (SPI) flash, a full filesystem scanner for analyzing content inside the firmware, as well as a dedicated detection engine for identifying firmware exploits and malicious behavior.
Microsoft Defender ATP analyzes signals from the UEFI scanner to detect unknown threats in SPI flash to detect anomalies, which will get reporters to the Microsoft Defender Security Center for further investigation. "With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on," Microsoft concluded.
"Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Microsoft Defender ATP, to investigate and contain such advanced attacks.
"This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps."
Source via bleepingcomputer
Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page July 28, 2020, 09:14:11 PM