Windows users can now block compromised drivers, using Windows Defender Application Control (WDAC) and a list of known vulnerable drivers.
According to a BleepingComputer report, the new option is part of the Core Isolation set of security features, designed for endpoints with virtualization-based security.
Windows 10, Windows 11, and Windows Server 2016 and newer will all benefit from the new offering. Hypervisor-protected code integrity (HVCI) needs to be enabled, while Windows 10 systems need to be in S mode, it was added.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
Looking for known malicious activities
To be accepted, the drivers need to be trusted, and not end up on the vulnerable driver blocklist. This blocklist will be kept up to date by independent hardware vendors and original equipment manufacturers.
Developers can also submit their drivers for analysis via the Microsoft Security Intelligence Driver Submission page.
The new feature will look for known vulnerabilities that result in escalation of privileges, as well as behavior that tries to circumvent the Windows Security Model.
The drivers that end up on the blocklist will be banned based on their SHA256 hash, file names, version numbers, as well as the certificate used to sign the code. And users can toggle the Microsoft Vulnerable Driver Blocklist from Windows Security > Device Security > Core isolation.
However, the move also means some legitimate software might not work.
"Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen," Microsoft said. "It's recommended to first validate this policy in audit mode and review the audit block events."
“Microsoft recommends enabling HVCI or S mode to protect your devices against security threats,” the advisory concludes. “If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy.”
Supply chain attacks are a common occurrence these days. Threat actors often use software updates to distribute potent viruses, such as in the case of SolarWinds. Driver updates could potentially be used for the same purpose.
- Check out the best ransomware protection software right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.