Microsoft Defender ATP Gets UEFI Scanner

Microsoft has extended the protection capabilities of Microsoft Defender Advanced Threat Protection (ATP) with the addition of a Unified Extensible Firmware Interface (UEFI) scanner.

With hardware and firmware-level attacks increasing in frequency over the past several years, Microsoft has decided to expand its security solution’s capabilities to ensure it can continue to keep users secure.

Two years ago, the tech giant introduced Windows Defender System Guard to prevent firmware-level attacks by guaranteeing secure boot through hypervisor-level attestation and Secure Launch (or Dynamic Root of Trust (DRTM)), two features enabled by default in Secured-core PCs.

The company now seeks to enhance these protections with the addition of a UEFI scan engine in Microsoft Defender ATP, which makes firmware scanning broadly available.

Leveraging insight from partner chipset manufacturers, the scanner is included in the built-in antivirus solution on Windows 10 and enables Microsoft Defender ATP to scan the firmware filesystem and perform security assessments.

A replacement for legacy BIOS, UEFI isn’t normally accessible from the OS level, and any implants in it are difficult to detect. However, if UEFI is configured correctly and secure boot is enabled, the firmware is reasonably secure, Microsoft says. Otherwise, attackers could change UEFI drivers or tamper with the firmware, ultimately taking control of devices.

At startup, the UEFI scanner interacts with the motherboard chipset to read the firmware filesystem, Microsoft explains, which allows it to inspect the firmware content at runtime.

The solution performs dynamic analysis using components such as a UEFI anti-rootkit (which accesses the firmware through Serial Peripheral Interface (SPI)), full filesystem scanner (analyzes the firmware content), and a detection engine (to identify exploits and malicious behaviors).

“Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history,” Microsoft explains.

These detections will also be available for Microsoft Defender ATP customers in Microsoft Defender Security Center, to enable fast investigation and response to firmware attacks and suspicious activities at the firmware level.

“With its UEFI scanner, Microsoft Defender ATP gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. […] This level of visibility is also available in Microsoft Threat Protection (MTP), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps,” Microsoft concludes.

Related: Microsoft Releases Integrated Threat Protection in Public Preview

Related: Microsoft Makes Tamper Protection in Defender ATP Generally Available

Related: Microsoft Defender ATP for Mac Now in Public Preview

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *