Microsoft has introduced UEFI Scanner for the Windows Defender Advanced Threat Protection (ATP) platform. The Microsoft security product will attempt to verify and guarantee the integrity of systems at a UEFI BIOS level. Windows Defender ATP is a preventative and post-detection, investigative response feature to Windows Defender. It will now conduct even more penetrative testing and analysis to ensure system protection even before a PC boots up.
In an effort to monitor and prevent hardware and firmware-level attacks, Microsoft has announced a new Unified Extensible Firmware Interface (UEFI) scanner for Microsoft Defender ATP. The new scanner has the ability to scan inside the PC BIOS firmware filesystem and perform security assessments to ensure threats do not take over the booting process and prevent the launch of security platforms when Windows OS starts.
UEFI BIOS Scanner Tool A New Component In Built-In Antivirus Solution On Windows 10:
Microsoft offers an integrated Windows Defender System Guard which currently provides Windows 10 OS users with some secure boot features to mitigate the risk of firmware attacks. Secure Boot essentially scans for threats that can attack a system even before PC boots. These are serious simply because quite a few of the security platforms become completely operational only after Windows OS boots up.
To mitigate such risks, Microsoft wants the UEFI Scan Engine in Microsoft Defender ATP to expand on these secure boot features. To achieve the same, Microsoft is making firmware scanning broadly available. “The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.”
Microsoft Defender ATP now detects Windows 10 UEFI malware https://t.co/0Y85oEQbge
— The Cyber Security Hub™ (@TheCyberSecHub) June 19, 2020
The new UEFI scanner performs dynamic analysis to detect threats at the BIOS level. There are multiple solution components that help the scanner perform the dynamic analysis. The UEFI BIOS Scanner components include:
- UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
- Full filesystem scanner, which analyzes content inside the firmware
- Detection engine, which identifies exploits and malicious behaviors
Microsoft Defender ATP users will see detections that are reported in Windows Security, under Protection history. Microsoft will also label these detections as ‘Alerts’ in Microsoft Defender Security Center. The primary intention of extending the availability and functionality of the UEFI Scanner is to boost the detection of threats for devices whose boot has already been compromised by rootkits or other kinds of malware acting at the firmware level.
Microsoft intends to keep the primary boot flow secure and trustworthy. In the absence of such a feature, rootkits can easily alter critical files of the OS as well as other installed software, and manipulate protection privileges to keep escalating their control over the victim machine.
How To Use UEFI Scanner In ATP On Microsoft Windows 10?
It appears users need to have a Microsoft 365 A5 subscription to enable ATP capabilities. Additionally, users need the Microsoft Defender Security Center portal. Some users claim the service is also functional with Intune within Azure. Such functionality reportedly allows organizations to monitor company laptops for their security and system integrity.
NowBrowsing: "「Microsoft Defender ATP」にファームウェアまで保護する“UEFI scanner”が搭載 – 窓の杜" https://t.co/5dcVbLu2LK
— yoshiteru (@yoshiteru) June 19, 2020
The Windows Defender System Guard is certainly an advanced protection platform that attempts to proactively safeguard a Windows 10 PC. The UEFI BIOS Scanner tool is aided by cloud processing for advanced and quick detection of threats.