Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Defender ATP Gets UEFI Scanner

Microsoft has extended the protection capabilities of Microsoft Defender Advanced Threat Protection (ATP) with the addition of a Unified Extensible Firmware Interface (UEFI) scanner.

Microsoft has extended the protection capabilities of Microsoft Defender Advanced Threat Protection (ATP) with the addition of a Unified Extensible Firmware Interface (UEFI) scanner.

With hardware and firmware-level attacks increasing in frequency over the past several years, Microsoft has decided to expand its security solution’s capabilities to ensure it can continue to keep users secure.

Two years ago, the tech giant introduced Windows Defender System Guard to prevent firmware-level attacks by guaranteeing secure boot through hypervisor-level attestation and Secure Launch (or Dynamic Root of Trust (DRTM)), two features enabled by default in Secured-core PCs.

The company now seeks to enhance these protections with the addition of a UEFI scan engine in Microsoft Defender ATP, which makes firmware scanning broadly available.

Leveraging insight from partner chipset manufacturers, the scanner is included in the built-in antivirus solution on Windows 10 and enables Microsoft Defender ATP to scan the firmware filesystem and perform security assessments.

A replacement for legacy BIOS, UEFI isn’t normally accessible from the OS level, and any implants in it are difficult to detect. However, if UEFI is configured correctly and secure boot is enabled, the firmware is reasonably secure, Microsoft says. Otherwise, attackers could change UEFI drivers or tamper with the firmware, ultimately taking control of devices.

At startup, the UEFI scanner interacts with the motherboard chipset to read the firmware filesystem, Microsoft explains, which allows it to inspect the firmware content at runtime.

The solution performs dynamic analysis using components such as a UEFI anti-rootkit (which accesses the firmware through Serial Peripheral Interface (SPI)), full filesystem scanner (analyzes the firmware content), and a detection engine (to identify exploits and malicious behaviors).

Advertisement. Scroll to continue reading.

“Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history,” Microsoft explains.

These detections will also be available for Microsoft Defender ATP customers in Microsoft Defender Security Center, to enable fast investigation and response to firmware attacks and suspicious activities at the firmware level.

“With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. […] This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps,” Microsoft concludes.

Related: Microsoft Releases Integrated Threat Protection in Public Preview

Related: Microsoft Makes Tamper Protection in Defender ATP Generally Available

Related: Microsoft Defender ATP for Mac Now in Public Preview

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...