UEFI, in your BIOS is a little operating system on its own, but it is sort of unprotected. Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.
The Unified Extensible Firmware Interface (UEFI) is a replacement for legacy BIOS. If the chipset is configured correctly (UEFI & chipset configuration itself) and secure boot is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a rootkit, which allows attackers to gain foothold on the machine.
Under normal circumstances, as long as the common types of viruses are found in time, it is relatively easy to kill, but some viruses are relatively more powerful in technical terms. For example, an advanced virus that specifically targets the system firmware is not that easy to be killed. The main reason is that the virus has been lurking and hiding inside the “system firmware”.
The most typical of these viruses is the advanced virus that is infected by UEFI firmware, and now Microsoft has begun to target and kill such advanced viruses. Microsoft has recently updated the Microsoft Defender ATP protection. This update brings a variety of different security measures to harden the system from such attacks.
This includes stubborn virus detection and the killing of the UEFI firmware. New components added by Microsoft can be scanned directly through the serial peripheral device interface to the system firmware. Microsoft said that the new UEFI firmware scanner integrates Microsoft’s rich security technology, which can provide a full range of security from chip to cloud.
For enterprise organizations that have deployed Microsoft Defender ATP, the administrator will also receive a reminder when they receive similar virus infections and conduct killing. The enterprise security team can collect and trace the virus infection process based on these alarm activities to ensure that the enterprise computers and internal networks are not threatened by security.
Microsoft said that if the hardware device itself supports security features such as a secure boot or device certification, Microsoft Defender ATP can also be seamlessly integrated. With the help of the UEFI scanner in Microsoft Defender ATP, you can now gain an in-depth understanding of firmware-level threats, and the security team can use it to detect such threats.
Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that’s hard to detect, posing a significant risk to an organization’s security posture.
Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs. The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.
The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.
The Serial Peripheral Interface (SPI) flash stores important information. Its structure depends on OEMs design, and commonly includes processor microcode update, Intel Management Engine (ME), and boot image, a UEFI executable. When a computer runs, processors execute the firmware code from SPI flash for a while during UEFI’s SEC phase. Instead of memory, the flash is permanently mapped to x86 reset vector (physical address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset vector by software. They do this by reprogramming the BIOS control register on misconfigured devices, making it even harder for security software to determine exactly what gets executed during boot.
Once an implant is deployed, it’s hard to detect. To catch threats at this level, security solutions at the OS level relies on information from the firmware, but the chain of trust is weakened.
Windows Security notification showing detection of malicious content in non-volatile memory (NVRAM)
Expected boot flow vs. compromised boot flow
Hello, my name is NICK Richardson. I’m an avid PC and tech fan since the good old days of RIVA TNT2, and 3DFX interactive “Voodoo” gaming cards. I love playing mostly First-person shooters, and I’m a die-hard fan of this FPS genre, since the good ‘old Doom and Wolfenstein days.
MUSIC has always been my passion/roots, but I started gaming “casually” when I was young on Nvidia’s GeForce3 series of cards. I’m by no means an avid or a hardcore gamer though, but I just love stuff related to the PC, Games, and technology in general. I’ve been involved with many indie Metal bands worldwide, and have helped them promote their albums in record labels. I’m a very broad-minded down to earth guy. MUSIC is my inner expression, and soul.
Contact: Email
“BIOS chips” lmao you really don’t have the slightest clue what you’re saying do you?
Did you even read the article? UEFI is NOT Microsoft’s thing. It’s a global standard originally developed by Intel and it’s a better version of BIOS. Its already in most PC’s.
How does this invade user privacy in literally any way? This is before the OS loads fully and it’s a firmware level defense. There is no user information stored at this level.
Read the article and actually know what you’re talking about before spewing nonsensical BS like this next time.
Wow. This is actually quite impressive. The more you speak the more it becomes obvious that you have no idea what you’re saying.
There’s so many things wrong with what you said and you’ve interpreted nearly everything Microsoft released incorrectly so I don’t even know where to begin.
I’ll just talk about a few because I don’t wanna waste anymore time on a complete walnut. “Runtime” does not indicate which level it runs at. It just means it happens whenever the firmware has an event that necessitates it. The screenshot of ATP scanning the firmware is an example of this. ATP is scanning the firmware from inside the OS but the firmware itself contains no private user data. You’d have to be a complete idiot to think that this is invading user privacy. But you’ve already established that that’s exactly what you are.
Boo hoo that secure boot causes issues for people who want to undervolt their hardware. You have no clue how few people actually do this. MSFT has hundred of millions of not billions of customers and the vast vast majority of them don’t care about undervolting. It follows then that MSFT would focus more on securing the hardware of billions of customers since that’s a more important goal.
You just type an endless stream of words mixed with random insults.
You’re sound like an imbecile getting angry at something good for the overwhelming majority of usecases.
Feel free to continue spewing nonsense. It’ll only make you seem like an idiot but we already knew that.
You sound very angry and abusive by posting all those insults. grow a pair.
+1 indeed
Well done!
This is great to hear. Firmware level attacks have been a real problem for so long because it needed special attention at the sub-OS level to properly be mitgated and no 3rd party software has the privileges to do that.
Good write up. It is really interesting to learn about this UEFI boot scanner. I work in a security cloud firm, and for me any compromise on security is a huge let down.
I actually am surprised by this! This is good news!
Kids these days, think they know everything.