Windows users can now block compromised drivers, using Windows Defender Application Control (WDAC) and a list of known vulnerable drivers.
According to a BleepingComputer report, the new option is part of the Core Isolation set of security features, designed for endpoints (opens in new tab) with virtualization-based security.
Windows 10, Windows 11, and Windows Server 2016 and newer will all benefit from the new offering. Hypervisor-protected code integrity (HVCI) needs to be enabled, while Windows 10 systems need to be in S mode, it was added.
Looking for known malicious activities
To be accepted, the drivers need to be trusted, and not end up on the vulnerable driver blocklist. This blocklist will be kept up to date by independent hardware vendors and original equipment manufacturers.
Developers can also submit their drivers for analysis via the Microsoft Security Intelligence Driver Submission page.
The new feature will look for known vulnerabilities that result in escalation of privileges, as well as behavior that tries to circumvent the Windows Security Model.
The drivers that end up on the blocklist will be banned based on their SHA256 hash, file names, version numbers, as well as the certificate used to sign the code. And users can toggle the Microsoft Vulnerable Driver Blocklist from Windows Security > Device Security > Core isolation.
> Installing gaming drivers might leave your PC vulnerable to cyberattacks (opens in new tab)
> A crappy Windows 11 driver is killing HP laptops – and owners are angry (opens in new tab)
> How to update drivers in Windows 10 (opens in new tab)
However, the move also means some legitimate software might not work.
"Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen," Microsoft said. "It's recommended to first validate this policy in audit mode and review the audit block events."
“Microsoft recommends enabling HVCI or S mode to protect your devices against security threats,” the advisory concludes. “If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy.”
Supply chain attacks are a common occurrence these days. Threat actors often use software updates to distribute potent viruses (opens in new tab), such as in the case of SolarWinds. Driver updates could potentially be used for the same purpose.
- Check out the best ransomware protection software (opens in new tab) right now
Via BleepingComputer (opens in new tab)