Microsoft is launching a new Unified Extensible Firmware Interface (UEFI) scanner as part of the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to bring attack and malware protection to the firmware level.
The UEFI scanner is a new feature that is built into the Microsoft Defender Antivirus for Windows 10, and it’s capable of scanning the firmware filesystem and perform security assessments. Also, it includes insights from chipset manufacturers that further expands the Microsoft Defender ATP protection.
The company explains that the Microsoft Defender ATP UEFI scanner works by interacting with motherboard chipset to read the firmware files at runtime, and to detect threats, the feature performs dynamic analysis using multiple components, including UEFI anti-rootkit that reaches the firmware through Serial Peripheral Interface (SPI). Full filesystem scanner to analyze content inside the firmware, and detection engine, which finds exploits and malicious behaviors.
If an anomaly is detected, then it’ll be reported in the Windows Security app, under the “Virus & threat protection” section, inside the Protection history page. Information that you can use to investigate and respond to firmware attacks and suspicious activities on the firmware.
In the case of Microsoft Defender ATP (enterprise) customers, the detections will appear as alerts in the Microsoft Defender Security Center.
The new UEFI scanner is another component that Microsoft is making broadly available to help with the continued increase of hardware and firmware-level attacks, which usually compromise the boot flow that’s difficult to detect, posing a significant risk to devices and data.