How Microsoft blocks vulnerable and malicious drivers in Defender, third-party security tools and in Windows 11

Device drivers have so many privileges in Windows that, if compromised, they can be used as a way to attack the system and even turn off anti-malware software. Recent malware attacks like RobbinHood, Uroburos, Derusbi, GrayFish and Sauron have used driver vulnerabilities to get into systems. Now Windows 11 has more protections against that.

SEE: Software Installation Policy (TechRepublic)

While there are some malicious drivers that are deliberately crafted to compromise PCs, the most problems come from a small number of legitimate drivers with accidental flaws in, said David Weston, VP of Enterprise and OS Security at Microsoft.

“What we see far more often than malicious drivers is just vulnerable drivers. Say this printer driver has been around since 2006, it has a buffer overflow in it: Attackers who have admin level access bring it with them on attacks and load it as a way to get an interface or API into the kernel. They take a driver that’s trusted, that’s going to get past any trusted list, load it up and then use it to knock off the antivirus on the machine.”

Widening what’s blocked

Microsoft automatically blocks the small subset of drivers that are known to have problems and that are frequently exploited like this on any PC that has either S Mode or the Hypervisor-Protected Code Integrity (HVCI) virtualisation-based security feature turned on.

As well as drivers known to have been used by malware, there are also what Weston calls vulnerable drivers, which you can now choose whether to block.

“The Malicious Driver Block List is the highest level of risk. We’ve seen this get used by malware in the wild; there’s no question at all about whether this needs to be blocked. Then there’s the Vulnerable Driver Block List. Think about this as going up the funnel: we know these are vulnerable [to attack], we haven’t necessarily seen them used specifically to hack people, but they could so we’re going to block it. Now, you might conceivably have a device that needs them, and that’s why we make it optional. We don’t want to inhibit your experience or make you make the decision about functionality versus security, so we just recommend it.”

Why doesn’t Microsoft just revoke the compromised drivers so they can’t run on Windows at all? Revocation takes time and sometimes negotiation. “The Malicious Driver Block List is our way to curate that in a way that is much faster and less impactful than revocation,” Weston explained. “Think about some of the driver cases recently where a certificate leaked from a giant vendor. If we revoke that, everyone’s devices may stop working. We need more of a precision mechanism to do blocking while we work towards the longer approach of revocation. The Vulnerable Driver Block List allows the user to do that with a very precise list that Microsoft has validated. We look at things like how many devices would stop working? Have we worked with a vendor to have a fix? We think the list is a good balance for folks who want security, but also want the confidence that Microsoft has done the telemetry and analysis.”

HVCI and the Microsoft Vulnerable Driver Blocklist are among the hardware security options that are now on by default on many Windows 11 PCs — and this is one of the reasons for the stricter system requirements for Windows 11. But they’re also available in previous releases of Windows and for Windows Server 2016 and later. Windows Defender Application Control, which lets you create policies for what applications and drivers can run on a PC, is no longer restricted to just the Enterprise  version of Windows. (WDAC doesn’t need HVCI to run, but using HVCI to protect WDAC makes it harder for an attacker to turn those protections off.)

In the next Windows 11 release, HVCI will be enabled by default on a broader set of devices running Windows 11 and that turns on the blocklist. When Windows 11 first came out, it only turned on HCVI for the latest AMD and 12th generation Intel processors; now any processor with the right hardware security built in will have HVCI turned on, including 8th generation processors.

You can also turn the blocklist on yourself in the Core isolate section of the Windows Security App–and the same slider lets you turn it off if one of your devices stops working (although you’ll want to work on replacing any or updating devices that need these vulnerable drivers to avoid long-term risk).

Organizations that want a more aggressive block list than Microsoft’s measured approach can add their own drivers to the list using the WDAC Policy Wizard.

Weston views the new list as “widening the dragnet of what we block, and making it easy.” In the past, IT admins could get the list of drivers from MSDN or TechNet, copy it into an XML file and deploy it; now it’s built in and increasingly, applied by default.

Building on block lists

The Device Health Attestation API in Windows is a way for not just Microsoft security tools but third-party options like AirWatch and Mobile Iron to protect the security agent running on the system from the kind of tampering malicious drivers permit attackers to do. The new Azure Attestation service expands that so developers using Azure can set policy to manage application deployments based on the state of components on the PC, without needing to use an MDM service like Intune.

“If you have a containerized app, and you want to say, ‘Hey, before my containerized app deploys, I want to know things about this system,’ you can do that,” Weston explains. That could be integration with Azure AD or an Open ID Connect identity provider, or it could be looking at what the code integrity polices on the device are. “You can say I want this specific allow list or I want this specific block list and if it isn’t there, I don’t want my app to run.”

That could let you check the state of a PC before allowing, say, remote access software to be used. Or it could allow a game studio to set anti-cheat policies, he suggested. “They could say I’m going to use the Azure Attestation service to make sure the block list that blocks all the cheat drivers is on the machine. You could build a very lightweight and high-security anti cheat by saying, I’m going to configure an HVCI policy that’s going to be enforced by the hypervisor and before my game starts, I want to make darn sure that policy loaded on the system.”

Look for more sample code and guidance for how to use that soon, as well as simpler integration with third-party identity providers.

Cleaner systems need clean installs

Turning on HVCI and WDAC (or deploying new devices that have those features on by default), is where Weston suggests starting. But since any blocklist is by definition incomplete, the long-term solution is to invert the approach and allow only known safe software. “We know the way to stop malware is not to [play] whack-a-mole. It is to reduce the number of things that can run on your device to just what you need.”

That’s the theory behind the smart app control feature coming in the next release of Windows 11 as an extension of WDAC that brings the core value of Windows 10 S Mode (“tens of millions of users and no widespread malware”) to a much broader user base. This restricts users to only signed apps, running an Azure code signing service that makes signing code affordable and immediately revoking any signing certificates used for malware through the Defender service, with exemptions that allow users to install unsigned apps that have already been used by enough other people to get a reputation as safe.

Like HVCI, the driver blocklists and the other security features that are on by default in Windows 11, smart app control will only be on by default if you buy a new PC with Windows 11 or do a clean install.

“We need to be able to run the driver profiler and make sure we don’t block one of your boot drivers which would be bad; we need to run sysprep,” Weston explained. Expect Microsoft to start being more explicit about that in future, to make sure people are getting the protections built into Windows 11.