8/18/2023 0 Comments Systemguard runtime monitorPrior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. Maintaining integrity of the system after it’s running (run time) In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start. At the end of the Windows boot process, System Guard will start the system’s antimalware solution which scans all third party drivers, at which point the system boot process is completed. This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). With Windows 10 running on modern hardware (i.e., Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (e.g., bootkit) can start before the Windows bootloader. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. Maintaining the integrity of the system as it starts up Validate that system integrity has truly been maintained through local and remote attestation.Protect and maintain the integrity of the system after it’s running.Protect and maintain the integrity of the system as it starts up. So, what security guarantees is Windows Defender System Guard designed to make? They include the ability to: With it we hope to create the condition that the integrity of the system can’t be compromised, and if it is, you will know about it. It reorganizes the existing Windows 10 system integrity features under one roof and sets us up for the next set of investments that we will make in the future. Just a few weeks ago at Ignite we announced Windows Defender System Guard, which ships in Windows 10, version 1709, also known as the Fall Creators Update. For this reason, creating the condition where the platform’s integrity can be maintained and monitored is mission-critical. With Windows 7 we included a number of perimeter defenses that could be augmented with third-party solutions, but the reality is that all of those defenses could be rendered ineffective if the integrity of the platform itself is compromised. The ability for an attacker to persist and evade detection is a critical part of the trade craft compromising the integrity of the platform and defenses is the best way to get there. With Windows 10 we’ve made it more difficult to find ways to exploit potential entry points, and it’s clear that its harder than it’s ever been before. One of the things we spend a great deal of time thinking about here at Microsoft is how attackers will attempt to persist and evade detection once they’ve successfully compromised a device.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |