Microsoft Defender ATP now scans Windows 10 PC firmware for hardware rootkit attacks

Microsoft brings malware scanning to firmware on Windows 10 PCs.
Written by Liam Tung, Contributing Writer

Microsoft has been building firmware-level defenses into Windows 10 Secured-Core PCs for the enterprise, and now it's bringing similar capabilities to its enterprise antivirus software, Microsoft Defender Advanced Threat Protection (ATP).

Secured-core PCs include a handful of Windows 10 PCs, including the Surface Pro X, HP Elite Dragonfly, Dell Latitude 7400, and fourth-generation Lenovo ThinkPad X1 Yoga. 

One of the key hardware-level protections these offer is kernel Direct Memory Access (DMA) protection, which can mitigate hands-on attacks that exploit, for example, the Thunderbolt interface to steal data from memory.   

SEE: Kubernetes security guide (free PDF) (TechRepublic download)

Others include Trusted Platform Module (TPM), virtualization-based security, Windows Defender System guard, hypervisor-protected code integrity (HVCI), and tools to block unverified code execution. 

This breed of PCs are aimed at organizations in the sights of state-backed hackers, such as the Russian group, Fancy Bear, and some recent strains of ransomware.  

The new Unified Extensible Firmware Interface (UEFI) scanner in Windows Defender ATP scans the interface between the operating system and firmware, making a security feature that was previously exclusive to Secured-Core Windows 10 PCs is now available more broadly. 

The scanner should detect when a rootkit or other malware tampers with code used to boot a PC by employing information from motherboard manufacturers.  

"The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside the firmware filesystem and perform security assessment," the Microsoft Defender ATP team says in a blogpost. 

"It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP."

SEE: Microsoft previews Microsoft Defender ATP for Linux

As Microsoft explains, the UEFI scanner can help spot attacks that exploit machines where secure boot is disabled or the motherboard chipset is misconfigured.

By altering the firmware or UEFI drivers, attackers can do bad things like disabling antivirus, all below the visibility of traditional antivirus and the operating system. 

The UEFI scanner runs an analysis on the firmware it gets from the Serial Peripheral Interface (SPI) flash storage, which isn't an easy task given that the firmware isn't accessible from the main memory of a machine. 

"By obtaining the firmware, the scanner is able to parse the firmware, enabling Microsoft Defender ATP to inspect firmware content at runtime," Microsoft says. 

Editorial standards