Microsoft Defender ATP has got a firmware-level scanner

Microsoft today announced an impressive change to their Defender protection solution. Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.

According to Microsoft, it is company's response on the increased number of firmware attacks, in addition to threats affecting the operating system.

As noted by Microsoft, the UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.

How the UEFI scanner in Microsoft Defender ATP works

The new UEFI scanner reads the firmware file system at runtime by interacting with the motherboard chipset. To detect threats, it performs dynamic analysis using multiple new solution components that include:

• UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
• Full filesystem scanner, which analyzes content inside the firmware
• Detection engine, which identifies exploits and malicious behaviors

Detections are reported in Windows Security, under Protection history.

For enterprise customers, they also will appear as security alerts in Microsoft Defender Security Center to capture users' attention.

There are some interesting tech details in the official announcement, check them out.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: