How Microsoft blocks vulnerable and malicious drivers in Defender, third-party security tools and in Windows 11
Device drivers have so many privileges in Windows that if compromised, they can be used to attack the system and even disable anti-malware software. Recent malware attacks like RobbinHood, Uroburos, Derusbi, GrayFish and Sauron have used driver vulnerabilities to break into systems. Now Windows 11 has more protections against this.
TO SEE: Software Installation Policy (TechRepublic)
Although some malicious drivers are deliberately designed to compromise PCs, most problems stem from a small number of legitimate drivers with accidental flaws, said David Weston, vice president of enterprise security and operating systems. at Microsoft.
“What we see far more often than malicious drivers are just vulnerable drivers. Let’s say this printer driver has been around since 2006, there’s a buffer overflow: attackers who have admin-level access take it with them on attacks and load it as a way to get an interface or API into the kernel, they take a trusted driver, which will override any trust list, load it and then use to disable the antivirus on the machine.
Expand what is blocked
Microsoft automatically blocks the small subset of drivers that are known to have issues and are frequently exploited in this way on any PC that has Mode S or Hypervisor-Protected Code Integrity (HVCI) virtualization-based security. is activated.
In addition to drivers known to have been used by malware, there are also what Weston calls vulnerable drivers, which you can now choose to block or not.
“The malicious driver block list is the highest risk level. We’ve seen this being used by malware in the wild; there’s no doubt that this needs to be blocked. Then there’s the blocking vulnerable drivers Think of it as going up the funnel: we know they are vulnerable [to attack], we haven’t necessarily seen them used specifically to hack people, but they might so we’ll block it. Now, you might possibly have a device that needs it, and that’s why we’re making it optional. We don’t want to hamper your experience or make you decide between functionality and security, so we just recommend it.
Why doesn’t Microsoft just revoke compromised drivers so they can’t work on Windows at all? Revocation takes time and sometimes negotiations. “The malicious driver blocklist is our way of dealing with this in a way that’s much quicker and less impactful than revocation,” Weston explained. “Think of some of the recent pilot cases where a certificate was leaked by a giant vendor. If we revoke that, everyone’s devices could stop working. that we are working towards the longer approach of revocation. The Vulnerable Driver Block List allows the user to do this with a very specific list that Microsoft has validated. We look at things like how many devices would stop working? Have we worked with a vendor to find a solution?We think the list strikes a good balance for people who are looking for security, but also want to know that Microsoft has done the telemetry and analysis.
HVCI and Microsoft Vulnerable Driver Blocklist are among the hardware security options that are now enabled by default on many Windows 11 PCs – and that’s one of the reasons for the stricter system requirements for Windows 11. But they’re also available in previous versions. Windows and for Windows Server 2016 and later. Windows Defender Application Control, which lets you create policies for apps and drivers that can run on a PC, is no longer limited to just the Enterprise version of Windows. (WDAC doesn’t need HVCI to work, but using HVCI to protect WDAC makes it harder for an attacker to disable those protections.)
In the next version of Windows 11, HVCI will be enabled by default on a wider set of devices running Windows 11 that enable the blocklist. When Windows 11 was first released, it only enabled HCVI for the latest 12th generation AMD and Intel processors; now any processor with the correct built-in hardware security will have HVCI enabled, including 8th generation processors.
You can also enable the blocklist on yourself in the Core isolate section of the Windows Security app – and the same slider lets you disable it if one of your devices stops working (although you want to work on replacing or updating devices that need these vulnerable conductors to avoid long-term risks).
Organizations that want a more aggressive block list than Microsoft’s measured approach can add their own drivers to the list using the WDAC Policy Wizard.
Weston considers the new list “broadens the net of what we block and makes it easier.” Previously, IT admins could get the list of drivers from MSDN or TechNet, copy it to an XML file, and deploy it; now it’s built-in and increasingly applied by default.
Build on Blocklists
The Device Health Attestation API in Windows is a way for not only Microsoft security tools, but also third-party options like AirWatch and Mobile Iron, to protect the security agent running on the system from the kind of tampering that malicious drivers allow attackers to do so. The new Azure Attestation service extends this so that developers using Azure can set policy to manage application deployments based on the state of components on the PC, without needing to use an MDM service like Intune.
“If you have a containerized app and you want to say, ‘Hey, before my containerized app deploys, I want to learn about this system,’ you can do that,” Weston says. This could be integration with Azure AD or an Open ID Connect identity provider, or it could be looking at code integrity policies on the device. “You can say I want this specific allowlist or I want this specific blocklist and if it’s not there I don’t want my app to run.”
This could allow you to check the status of a PC before authorizing, for example, the use of remote access software. Or it could allow a game studio to set anti-cheat policies, he suggested. “They might say I’m going to use the Azure Attestation service to make sure the blocklist that blocks all cheat drivers is on the machine. You can create a very lightweight, high security anti-cheat by saying, I’m going to configure an HVCI policy that will be enforced by the hypervisor and before my game starts I want to make sure that this policy is loaded on the system.”
Look for more code samples and tips on how to use it soon, as well as easier integration with third-party identity providers.
Cleaner systems require cleaner facilities
Enabling HVCI and WDAC (or deploying new devices with these features by default) is where Weston suggests starting. But since any blocklist is by definition incomplete, the long-term solution is to reverse the approach and allow only known safe software. “We know that the way to stop malware is not to [play] hit a mole. It’s about reducing the number of things that can run on your device to what you need.
This is the theory behind the Intelligent Application Control feature coming in the next version of Windows 11 as an extension of WDAC that brings the core value of Windows 10 S Mode (“tens of millions of users and no widespread malware”) to a much broader user base. This restricts users to only signed apps, running an Azure Code Signing service that makes code signing affordable and immediately revokes all malware-used signing certificates through the Defender service, with exemptions that allow users to ‘install unsigned applications that have already been used by enough other people to gain a reputation for security.
Like HVCI, driver blocklists, and other security features enabled by default in Windows 11, Smart Application Control will only be enabled by default if you buy a new PC with Windows 11 or do a clean install.
“We need to be able to run the driver profiler and make sure we’re not blocking any of your boot drivers, which would be bad; we need to run sysprep,” Weston explained. Expect Microsoft to start being more explicit about this in the future, to ensure users benefit from the protections built into Windows 11.