Microsoft adds UEFI scanner in Windows 10 to help detect firmware attacks

Performs security assessment by interacting directly with the motherboard chipset

Microsoft said on Wednesday that it has added UEFI scanner in its Defender Advanced Threat Protection tool (Defender ATP) to help detect firmware attacks.

In other words, Microsoft Defender ATP is now able to detect malware injected in firmware, thereby adding an extra security layer to systems running Windows 10.

Microsoft Defender ATP is security technology that enables enterprise users to detect and respond to emerging security threats. The tool has more powerful in recent years, and a large number of users now prefer to stick with the native protection to safeguard their machines from cyber attacks.

Malware-infected firmware is difficult to detect as it is launched before booting the OS. So, most of the time, such malicious programmes remain undetected by third-party antivirus software.

In an online post, the software giant said that its new Unified Extensible Firmware Interface (UEFI) scanner will perform security assessment by interacting directly with the motherboard chipset and reading the firmware's file system at runtime.

The new tool will use the following solution components to carry out dynamic analysis:

• UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface
• Full file system scanner, which examines the content inside the firmware
• Detection engine, which identifies exploits and malicious behaviours

In case malware is spotted at firmware level, the user will receive a security alert at their Defender Security Centre. There, they will analyse the threat and take appropriate steps to respond to suspicious activity in the system.

The IT security teams can also use advanced scanning capabilities in Microsoft Defender ATP to hunt for such threats, the company said.

According to Microsoft, the new security tool is a natural evolution of all security enhancements in Microsoft Defender ATP, and users can expect more such updates in coming days.

In February, Microsoft had added support for tamper protection in Defender ATP's Threat & Vulnerability Management to help organisations get additional information on exposed machines.

The security feature prevents threat actors from altering or disabling security settings that are designed to stop them from infiltrating networks.