In an effort to mitigate the continuous rise of hardware and firmware-level attacks, Microsoft has announced a new Unified Extensible Firmware Interface (UEFI) scanner for Microsoft Defender ATP. The new UEFI scanner has a unique ability to scan inside of the firmware filesystem and perform security assessments.

The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.

Windows Defender System Guard currently provides Windows 10 users with some secure boot features to mitigate the risk of firmware attacks(via TWC). And now, the company wants the UEFI scan engine in Microsoft Defender ATP to expand on these secure boot features and to achieve that, Microsoft is making firmware scanning broadly available.

The new UEFI scanner performs dynamic analysis to detect threats. There are multiple solution components that help the scanner perform the dynamic analysis; the solution components include:

  • UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
  • Full filesystem scanner, which analyzes content inside the firmware
  • Detection engine, which identifies exploits and malicious behaviors

Microsoft Defender ATP users will see detections that are reported in Windows Security, under Protection history. Microsoft will also label these detections as alerts in Microsoft Defender Security Center.

Comments