Author Topic: Microsoft Defender ATP now detects Windows 10 UEFI malware  (Read 76 times)

Offline riso

  • Administrator
  • Hero Member
  • *****
  • Posts: 6342
  • Gender: Male
  • Beta tester Tech support dedicated 110%
    • windows 10 news and info | Forum - Blog
Microsoft Defender ATP now detects Windows 10 UEFI malware
« on: June 21, 2020, 07:07:39 PM »
Microsoft has announced that its Microsoft Defender Advanced Threat Protection (ATP) enterprise endpoint security platform is now capable of detecting and protecting customers from Unified Extensible Firmware Interface (UEFI) malware with the help of a new UEFI scanner. This built-in protection against firmware attacks is already included Windows 10 Secured-core PCs since October 2019 and it protects the users of such devices against attackers who abuse security flaws affecting both firmware and drivers. "Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs," Microsoft said. One threat actor known for abusing firmware vulnerabilities is the Russian-backed APT28 threat group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a UEFI rootkit known as LoJax as part of some of its 2018 operations. The new UEFI scanner, built with insights from partner chipset manufacturers, is a component of the Windows 10 built-in antivirus solution capable of performing security assessments after scanning inside the firmware filesystem.
Microsoft Defender ATP's UEFI scanner works by reading "the firmware file system at runtime by interacting with the motherboard chipset" and it gets triggered automatically through periodic scans or on runtime events such as suspicious driver loads.
To spot firmware malicious code, the UEFI scanner uses multiple components including a UEFI anti-rootkit which scans the firmware through the Serial Peripheral Interface (SPI) flash, a full filesystem scanner for analyzing content inside the firmware, as well as a dedicated detection engine for identifying firmware exploits and malicious behavior.
Microsoft Defender ATP analyzes signals from the UEFI scanner to detect unknown threats in SPI flash to detect anomalies, which will get reporters to the Microsoft Defender Security Center for further investigation. "With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on," Microsoft concluded.
"Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Microsoft Defender ATP, to investigate and contain such advanced attacks.
"This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps."
Source via bleepingcomputer