Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Defender ATP Gets UEFI Scanner

Microsoft has extended the protection capabilities of Microsoft Defender Advanced Threat Protection (ATP) with the addition of a Unified Extensible Firmware Interface (UEFI) scanner.

Microsoft has extended the protection capabilities of Microsoft Defender Advanced Threat Protection (ATP) with the addition of a Unified Extensible Firmware Interface (UEFI) scanner.

With hardware and firmware-level attacks increasing in frequency over the past several years, Microsoft has decided to expand its security solution’s capabilities to ensure it can continue to keep users secure.

Two years ago, the tech giant introduced Windows Defender System Guard to prevent firmware-level attacks by guaranteeing secure boot through hypervisor-level attestation and Secure Launch (or Dynamic Root of Trust (DRTM)), two features enabled by default in Secured-core PCs.

The company now seeks to enhance these protections with the addition of a UEFI scan engine in Microsoft Defender ATP, which makes firmware scanning broadly available.

Leveraging insight from partner chipset manufacturers, the scanner is included in the built-in antivirus solution on Windows 10 and enables Microsoft Defender ATP to scan the firmware filesystem and perform security assessments.

A replacement for legacy BIOS, UEFI isn’t normally accessible from the OS level, and any implants in it are difficult to detect. However, if UEFI is configured correctly and secure boot is enabled, the firmware is reasonably secure, Microsoft says. Otherwise, attackers could change UEFI drivers or tamper with the firmware, ultimately taking control of devices.

At startup, the UEFI scanner interacts with the motherboard chipset to read the firmware filesystem, Microsoft explains, which allows it to inspect the firmware content at runtime.

The solution performs dynamic analysis using components such as a UEFI anti-rootkit (which accesses the firmware through Serial Peripheral Interface (SPI)), full filesystem scanner (analyzes the firmware content), and a detection engine (to identify exploits and malicious behaviors).

“Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history,” Microsoft explains.

These detections will also be available for Microsoft Defender ATP customers in Microsoft Defender Security Center, to enable fast investigation and response to firmware attacks and suspicious activities at the firmware level.

“With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. […] This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps,” Microsoft concludes.

Related: Microsoft Releases Integrated Threat Protection in Public Preview

Related: Microsoft Makes Tamper Protection in Defender ATP Generally Available

Related: Microsoft Defender ATP for Mac Now in Public Preview

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Identity and access governance vendor Saviynt has closed a $205 million financing round.