Microsoft Defender has received a new feature called “Microsoft Vulnerable Driver Blocklist”and as its name suggests, it is designed to block drivers that may be malicious, or that may contain vulnerabilities that serve as a gateway to different types of attacks.
The vice president of enterprise and operating system security at Microsoft, David Weston, was the one who wanted to highlight this new feature of Microsoft Defender, and commented that will help protect any Windows-based device in a much more effective and realistic way.
According to the Redmond giant, the Microsoft Defender Vulnerable Driver Blocklist is designed to help harden systems against drivers developed by third parties across the Windows ecosystem that may fit any of the following attributes:
- Known security vulnerabilities that attackers can exploit to elevate privileges in the Windows kernel.
- Malicious behavior (malware) or certificates used to sign malware.
- Behavior that is not malicious but circumvents the Windows security model and can be exploited by attackers to elevate privileges in the Windows kernel.
Microsoft has said that it identifies these potentially dangerous drivers working with your partners, and which adds them to its “ecosystem lockdown policy.” These are then applied to Hypervisor Protected Code Integrity (HVCI) enabled devices or those with S mode. The feature is available in Windows 11, 10 and Server 2016 and above.
Of course, Microsoft has compelling reasons to target, and be on high alert, with malicious drivers, since on more than one occasion it has been discovered that drivers that had been signed and validated for Windows they had been compromised, and posed a risk to users. Now Microsoft Defender has stood up to them.
