Can an advanced BIOS virus be blocked by ESET antivirus?

[Yusuf Alp 0]

En gelişmiş BİOS virüsü ESET antivirüsünü bloklayabilir mi?

[Marcos 4,356]

Since this is an English forum we kindly ask you to post in English.

As to your question, ESET is one of very few AV vendors to scan UEFI for threats.

https://www.eset.com/int/about/technology/

[Nightowl 164]

9 hours ago, Yusuf Alp said:

En gelişmiş BİOS virüsü ESET antivirüsünü bloklayabilir mi?

ESET will be able to detect threats in the BIOS/UEFI , but won't be able to clean them / remove them , a BIOS flash is necessary for that.

[Yusuf Alp 0]

1 hour ago, Marcos said:

Burası İngilizce bir forum olduğu için İngilizce yazmanızı rica ediyoruz.

Sorunuza gelince, ESET, UEFI'yi tehditlere karşı tarayan çok az AV satıcısından biridir.

https://www.eset.com/int/about/technology/

 

1 hour ago, Nightowl said:

ESET, BIOS/UEFI'deki tehditleri algılayabilecek, ancak bunları temizleyemeyecek/kaldıramayacak, bunun için bir BIOS flaşı gereklidir.

No, I'm not saying that. even if my system is infected by a state-of-the-art BIOS virus. Can this virus block ESET antivirus?

[Nightowl 164]

It can be done by flashing BIOS image again from your motherboard manufacturer website

ESET nor any other Antivirus cannot make modifications in the BIOS.

[Yusuf Alp 0]

1 minute ago, Nightowl said:

Anakart üreticinizin web sitesinden BIOS görüntüsünü tekrar yanıp sönerek yapılabilir.

ESET veya başka bir Antivirus, BIOS'ta değişiklik yapamaz.

No, I'm not talking about that either. Can the most advanced BIOS virus Block ESET Antivirus

[Nightowl 164]

 

Quote

 

The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (its predecessor was called BIOS). Firmware and UEFI are often linked together and called UEFI firmware.

A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.

 

A UEFI rootkit is a rootkit that hides in firmware, and there are two reasons for this type of rootkit being extremely dangerous. First, UEFI rootkits are very persistent, able to survive a computer’s reboot, re-installation of the operating system and even hard disk replacement. Second, they are hard to detect because the firmware is not usually inspected for code integrity. ESET security solutions containing a dedicated layer of protection, ESET UEFI Scanner, are an exception.

 

https://www.eset.com/int/uefi-rootkit-cyber-attack-discovered/

Read here more about it.

[itman 1,435]

I believe the OP's question is if UEFI base malware can disable/bypass anti-virus and other like security solutions.

The answer is yes but it requires that a vulnerable currently exists in the UEFI bootloader:

Quote

Eclypsium researchers found that three UEFI bootloaders that were approved by Microsoft had vulnerabilities that permitted bypassing the Secure Boot feature and executing unsigned code

In an advisory this week about the vulnerabilities, the Carnegie Mellon CERT Coordination Center warns that code executed in the early boot stages could “also evade common OS-based and EDR security defenses.”

However, note the following:

Quote

Attackers exploiting any of the three vulnerabilities require elevated permissions on the system, such as admin on Windows or root on Linux machines, which is far from difficult to achieve on both platforms.  

Ref.: https://www.bleepingcomputer.com/news/security/microsoft-blocks-uefi-bootloaders-enabling-windows-secure-boot-bypass/

This also begs the question of the security status of devices where Win 10/11 Secure Boot feature is not enabled.

Edited September 7 by itman

[Yusuf Alp 0]

1 minute ago, itman said:

OP'nin sorusunun, UEFI tabanlı kötü amaçlı yazılımın anti-virüs ve diğer benzeri güvenlik çözümlerini devre dışı bırakıp atlayamayacağına inanıyorum.

Cevap evet, ancak UEFI önyükleyicisinde şu anda bir güvenlik açığının bulunmasını gerektiriyor:

Ancak aşağıdakilere dikkat edin:

Referans: https://www.bleepingcomputer.com/news/security/microsoft-blocks-uefi-bootloaders-enable-windows-secure-boot-bypass/

I'm not asking him, can they bypass ESET antivirus even if it is infected with a security vulnerability?

[itman 1,435]

35 minutes ago, Yusuf Alp said:

I'm not asking him, can they bypass ESET antivirus even if it is infected with a security vulnerability?

Impossible to determine at this point.

First, a real malware exploit would need to exist in-the-wild. Next, the exploit would have to specifically target Eset installations. Finally, the exploit would need to be captured to test with.

[itman 1,435]

I will say this about the noted UEFI bootloader vulnerability. I wouldn't "lose any sleep over it."

First, it's a Secure Boot bypass and as previously noted, many don't have Secure Boot enabled for any number of reasons.

Eset and most major AV vendors employ the Win 10/11 ELAM driver. This driver loads prior to other Win kernel mode drivers but after all kernel mode device drivers have loaded. The ELAM driver allows AV vendors to examine any drivers that load after it for malware status. As long as the AV vendor has a sig. for the malicious driver, you're protected.

Now if a malicious kernel mode device driver got installed, you're well ............. screwed.

Edited September 7 by itman

[rotaru 8]

On 9/7/2022 at 3:02 AM, Marcos said:

As to your question, ESET is one of very few AV vendors to scan UEFI for threats.

It seems like Windows Defender ATP is doing it since 2020

UEFI scanner brings Microsoft Defender ATP protection to a new level - Microsoft Security Blog

[peteyt 314]

37 minutes ago, rotaru said:

It seems like Windows Defender ATP is doing it since 2020

UEFI scanner brings Microsoft Defender ATP protection to a new level - Microsoft Security Blog

I think that may be the the business version

[itman 1,435]

2 hours ago, rotaru said:

It seems like Windows Defender ATP is doing it since 2020

Note the following:

Quote

Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs. The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.

The key phrase above is "Secure-core PC's." Think motherboards that include Intel vPro chipset.

[rotaru 8]

10 hours ago, itman said:

The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.

I see it differently; the new UEFI scan engine....expands on these protections ...making broadly available

[Nightowl 164]

It scans the firmware , but yet cannot make any modifications or some sort of cleaning

To have a clean UEFI/BIOS , you need to flash one again from manufacturer website , otherwise it cannot be touched by any AV, not Microsoft's and not ESET's and not Kaspersky's