Last week Microsoft announced that it had added a UEFI scanner into its Defender Advanced Threat Protection tool (Defender ATP) to better detect firmware attacks by performing a security assessment that will interact directly with a motherboard chipset.

That means Microsoft’s Defender ATP will now be able to detect malware that has been inserted directly into firmware, adding another layer of security to Microsoft’s already formidable security protocols on Windows 10.

For those unfamiliar with Microsoft Defender ATP; it’s a type of security technology that lets enterprise level users detect and then quickly respond to emerging cyber threats.

The reason malware infected firmware is so difficult to detect is that it’s launched before the OS is booted up. That means the majority of the time malicious programmes can remain hidden from third-party antivirus software that only kick in with the OS.

In a statement online, Microsoft said that their new UEFI (Unified Extensible Firmware Interface) scanner will interact directly with a motherboard chipset, performing lightning fast security assessments by reading the firmware’s file system at runtime.

Microsoft’s UEFI will include…

• UEFI anti-rootkit to reach the firmware through a Serial Peripheral Interface
• Full file system scanner to examine the contents inside the firmware
• Detection engine to identify exploits and malicious behaviours

If malware is detected at the firmware level the end user will get a security alert through the Defender Security Centre. The threat can then be analysed with appropriate actions being taken to neutralise it. 

Rather than just being a passive tool though, Microsoft also confirmed Defender ATP could be used by IT security teams in an active manner to go on the hunt for existing threats.

More updates are expected from Microsoft within the next few days about further new security tools…