[German]Microsoft is working on improving the protection of the current versions of Windows 10, Windows 11 and Windows Server 2016 and their successors against harmful drivers. For this purpose, Windows Defender Application Control (only available in Enterprise editions) or HVCI or the S-Mode will support a driver block list with which the execution of drivers can be controlled and, if necessary, prevented.
Drivers contaminated with malware can cause considerable damage to Windows systems, as they are executed in the kernel of the operating system with its rights. Microsoft therefore has strict requirements for code that runs in the Windows kernel. For example, independent hardware vendors (IHVs) and OEMs must work with Microsoft to have their drivers certified for Windows.
New Windows security feature
On the other hand, attackers always manage to infect drivers or use vulnerable drivers for attacks. In future, Microsoft will make it possible to block problematic drivers via a new security function in Windows. It has already been mentioned on various websites over the last few days – because Microsoft employee David Weston initiated the topic on Twitter.
Windows has now a new feature called "Microsoft Vulnerable Driver Blocklist" in the above screenshot. If the feature is activated, Windows blocks all drivers that are known to have security issues or are dangerous via internal blocking policies.
The new Vulnerable Driver Blocklist is designed to help protect systems against third-party developed drivers across the Windows ecosystem that have any of the following attributes:
- Known vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviours (malware) or certificates used to sign malware
- Behaviours that are not malicious but bypass the Windows security model and can be exploited by attackers to elevate privileges in the Windows kernel
Problem is, however, that most Windows users never see this option to enable the feature because the prerequisites are not met.
Prerequisite for driver blocking
For this purpose, Microsoft has published the support article Microsoft recommended driver block rule son 30 March 2022, which contains some additional information. Thus, the driver block rules are only supported in subsequent Windows versions.
- Windows 10
- Windows 11
- Windows Server 2016 and later
The Feature thing is part of Windows Defender Application Control (WDAC) – that is only available under Windows Enterprise and Windows Server. The driver blocking policy can also be applied to the following device groups:
- Devices with Hypervisor Protected Code Integrity (HVCI) enabled
- Devices with Windows 10 in S-mode (S-mode)
Sounds good on the one hand, but will only benefit systems from the business sector on which HVCI has been activated (or can be activated at all) or on which Windows Defender Application Control (WDAC) is available. Or systems that run with Windows 10 in S mode (probably not the case in the business environment). Microsoft recommends activating HVCI or S mode to protect the devices from security threats.
At this point we come to one reason why Microsoft imposes very restrictive hardware requirements regarding the CPU in Windows 11. Only newer processors directly support mode-based execution control (MBEC), while the whole thing has to be emulated as a restricted user mode in older processors. In addition, HVCI requires at least 8 GByte RAM to be activated automatically – I had written something about this in my blog post Windows 11: Most hardware don't fulfill the minimum requirements, Microsoft reveals by-passing trick.
If it is not possible to use the above two modes, Microsoft recommends blocking the list of drivers within your existing Windows Defender Application Control policy. However, the blocking of drivers by Windows can cause devices or software to stop working – and in rare cases even cause BlueScreens. Administrators who want to use this functionality should therefore test extensively. For this purpose, there is the audit mode to create WDAC policy rules, which can then be checked in the event viewer.