Microsoft launches service for reporting malicious drivers
Microsoft has launched a special portal through which users and information security researchers can report malicious and suspicious drivers.
The new Vulnerable and Malicious Driver Reporting Center is essentially a web form that allows users to download a copy of a suspicious driver, which will then be analysed by Microsoft’s automated scanner.
The fact is that in recent years, malicious drivers are increasingly used by major APTs and other cybercriminals. Most often, cybercriminals abuse vulnerabilities in old and unpatched drivers, or even deliberately downgrade and install older drivers into the system (for example, to gain administrator rights on a compromised host).
The company says its automatic scanner can detect methods commonly abused by malicious drivers, including:
- drivers that can map arbitrary areas of yard memory, physical memory and device memory in user mode;
- drivers that can read / write arbitrary memory information from the kernel, physical memory, or device memory in user mode, including I / O and CPU ports;
- drivers that provide access to device storage bypassing Windows access control.
If the scan is successful, the driver will be referred to a Microsoft technician for closer examination.
The new service is reported to be capable of analyzing drivers for both 32-bit and 64-bit architectures, and Microsoft is urging users to report any drivers they believe may contain malicious code or be vulnerable.
Based on the results of the checks, malicious drivers will be blacklisted, and the developers will be informed about the vulnerable drivers.
Let me remind you that I also wrote that Microsoft Defender for Endpoint and Kaspersky doesn’t start after Windows update.