14 DAY TRIAL // Windows Defender, or as Microsoft calls it, Microsoft Defender, has recently been updated with a new feature supposed to protect Windows devices against malicious drivers.
Called Microsoft Vulnerable Driver Blocklist, this new security tool is supposed to help the application block drivers with security vulnerabilities from running on the device.
The company claims it’s working with partners to identify the drivers that could expose Windows PCs, therefore relying on its security solution bundled with Windows to take action against them before any harm is produced.
“Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs,” the company notes.
“Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy.”
Windows in S mode coming to the rescue
The company says malicious drivers can be used by cybercriminals to elevate privileges in the Windows kernel.
The company says the easiest way to remain protected is to switch to the S mode that is available for Windows users.
“Microsoft recommends enabling HVCI or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in audit mode and review the audit block events,” the company says.