Advertisement

Microsoft Defender ATP has got a firmware-level scanner

Microsoft today announced an impressive change to their Defender protection solution. Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.

According to Microsoft, it is company's response on the increased number of firmware attacks, in addition to threats affecting the operating system.

As noted by Microsoft, the UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.

How the UEFI scanner in Microsoft Defender ATP works

The new UEFI scanner reads the firmware file system at runtime by interacting with the motherboard chipset. To detect threats, it performs dynamic analysis using multiple new solution components that include:

  • UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
  • Full filesystem scanner, which analyzes content inside the firmware
  • Detection engine, which identifies exploits and malicious behaviors

Detections are reported in Windows Security, under Protection history.

Fig1c Windows Security Notification Showing Detection Of Malicious Content In NVRAM

For enterprise customers, they also will appear as security alerts in Microsoft Defender Security Center to capture users' attention.

Fig2 Microsoft Defender ATP Alert For Detecing Malicious Code In Firmware

There are some interesting tech details in the official announcement, check them out.

 

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Advertisment

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

2 thoughts on “Microsoft Defender ATP has got a firmware-level scanner”

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.