UEFI scanner brings Microsoft Defender ATP protection to a new level
Let's face it, UEFI, in your BIOS is a little operating system on its own, completely unprotected. Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner.
The Unified Extensible Firmware Interface (UEFI) is a replacement for legacy BIOS. If the chipset is configured correctly (UEFI & chipset configuration itself) and secure boot is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a rootkit, which allows attackers to gain foothold on the machine.
Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that’s hard to detect, posing a significant risk to an organization’s security posture.
Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs. The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.
The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP.
The new UEFI scanner reads the firmware file system at runtime by interacting with the motherboard chipset. To detect threats, it performs dynamic analysis using multiple new solution components that include:
- UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI)
- Full filesystem scanner, which analyzes content inside the firmware
- Detection engine, which identifies exploits and malicious behaviors
Firmware scanning is orchestrated by runtime events like suspicious driver load and through periodic system scans. Detections are reported in Windows Security, under Protection history.
Microsoft Defender ATP customers will also see these detections raised as alerts in Microsoft Defender Security Center, empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.
To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender Security Center for investigation. Thanks, Watcher for the news submit.
Senior Member
Posts: 6073
Joined: 2011-01-02
When Windows Update fails, it will bring your hardware with it

Senior Member
Posts: 8187
Joined: 2010-11-16
Senior Member
Posts: 12621
Joined: 2013-01-17
16 bit code, 1MB memory space to execute, bootable drives only lower than 2.1 TB.
Now we have 64 bit code both in UEFI BIOS and in OS, we have UEFI shell (not used that widely but I am sure some do use it), we have unified BIOS modules (hence the UBU Tool), we have USB upgrades plus upgrades right in BIOS from NTFS partitions.
Senior Member
Posts: 108
Joined: 2019-06-08
I like the idea behind this. But not if Microsoft is implementing it. They can barely get normal bog standard updates working each month. If someone like BitDefender, ESET, or Kaspersky integrated this into their software suites I would feel far more at ease with it. I personally do not use secure boot as I want the option of hitting DEL during startup and get into the BIOS to do what ever I need to do and if something goes wrong in the OS it makes it infinitely easier to correct it. The whole idea of having to load into windows to then reboot and get into to the BIOS is just ludicrous to me. I rarely ever turn on UEFI as I just do not trust the man behind the curtain (yes all modern boards are fully UEFI under the hood but it tones down what it can get it's grubby little hands into); the real world difference between a legacy boot and a UEFI boot on modern SSD machines is about 5-6 seconds, fine by me. Once you are in windows you cannot tell the difference between legacy and UEFI anyway as it switches over to side-channel addressing anyway to the BIOS. I take that reduction in security at face value. I personally use BitDefender on all of my internet facing devices as it works best for me and what I do. I would be interested to see this added to their security suites.
Senior Member
Posts: 1220
Joined: 2010-05-12
Remember me, why did we need UEFI? what was wrong with old BIOS + USB upgrades only?
Apart this, i really do not know if i like the idea of windows with its history of bugs and security flaw having access to my firmware.
I would love the idea that while i go near to the metal, the upper layer of software is hosted, but cannot really touch or look anything apart from what the UEFI wants to expose.
Similarly how applications cannot really delete system files and code in the browser cannot really delete applications.