Jump to content

Can an advanced BIOS virus be blocked by ESET antivirus?

just

By just
in Malware Finding and Cleaning

 Share

Recommended Posts

just

just 1

Posted
Posted

En gelişmiş BİOS virüsü ESET antivirüsünü bloklayabilir mi?

  • Marcos changed the title to Can an advanced BIOS virus be blocked by ESET antivirus?
  • Most Valued Members
Nightowl

Nightowl 206

Posted
  • Most Valued Members
Posted
9 hours ago, Yusuf Alp said:

En gelişmiş BİOS virüsü ESET antivirüsünü bloklayabilir mi?

ESET will be able to detect threats in the BIOS/UEFI , but won't be able to clean them / remove them , a BIOS flash is necessary for that.

just

just 1

Posted
  • Author
Posted
1 hour ago, Marcos said:

Burası İngilizce bir forum olduğu için İngilizce yazmanızı rica ediyoruz.

Sorunuza gelince, ESET, UEFI'yi tehditlere karşı tarayan çok az AV satıcısından biridir.

https://www.eset.com/int/about/technology/

resim.png

 

1 hour ago, Nightowl said:

ESET, BIOS/UEFI'deki tehditleri algılayabilecek, ancak bunları temizleyemeyecek/kaldıramayacak, bunun için bir BIOS flaşı gereklidir.

No, I'm not saying that. even if my system is infected by a state-of-the-art BIOS virus. Can this virus block ESET antivirus?

  • Most Valued Members
Nightowl

Nightowl 206

Posted
  • Most Valued Members
Posted

It can be done by flashing BIOS image again from your motherboard manufacturer website

ESET nor any other Antivirus cannot make modifications in the BIOS.

just

just 1

Posted
  • Author
Posted
1 minute ago, Nightowl said:

Anakart üreticinizin web sitesinden BIOS görüntüsünü tekrar yanıp sönerek yapılabilir.

ESET veya başka bir Antivirus, BIOS'ta değişiklik yapamaz.

No, I'm not talking about that either. Can the most advanced BIOS virus Block ESET Antivirus

  • Most Valued Members
Nightowl

Nightowl 206

Posted
  • Most Valued Members
Posted

 

Quote

 

The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (its predecessor was called BIOS). Firmware and UEFI are often linked together and called UEFI firmware.

A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.

 

A UEFI rootkit is a rootkit that hides in firmware, and there are two reasons for this type of rootkit being extremely dangerous. First, UEFI rootkits are very persistent, able to survive a computer’s reboot, re-installation of the operating system and even hard disk replacement. Second, they are hard to detect because the firmware is not usually inspected for code integrity. ESET security solutions containing a dedicated layer of protection, ESET UEFI Scanner, are an exception.

 

itman

itman 1,921

Posted
Posted (edited)

I believe the OP's question is if UEFI base malware can disable/bypass anti-virus and other like security solutions.

The answer is yes but it requires that a vulnerable currently exists in the UEFI bootloader:

Quote

Eclypsium researchers found that three UEFI bootloaders that were approved by Microsoft had vulnerabilities that permitted bypassing the Secure Boot feature and executing unsigned code

In an advisory this week about the vulnerabilities, the Carnegie Mellon CERT Coordination Center warns that code executed in the early boot stages could “also evade common OS-based and EDR security defenses.”

However, note the following:

Quote

Attackers exploiting any of the three vulnerabilities require elevated permissions on the system, such as admin on Windows or root on Linux machines, which is far from difficult to achieve on both platforms.  

Ref.: https://www.bleepingcomputer.com/news/security/microsoft-blocks-uefi-bootloaders-enabling-windows-secure-boot-bypass/

This also begs the question of the security status of devices where Win 10/11 Secure Boot feature is not enabled.

Edited by itman
just

just 1

Posted
  • Author
Posted
1 minute ago, itman said:

OP'nin sorusunun, UEFI tabanlı kötü amaçlı yazılımın anti-virüs ve diğer benzeri güvenlik çözümlerini devre dışı bırakıp atlayamayacağına inanıyorum.

Cevap evet, ancak UEFI önyükleyicisinde şu anda bir güvenlik açığının bulunmasını gerektiriyor:

Ancak aşağıdakilere dikkat edin:

Referans: https://www.bleepingcomputer.com/news/security/microsoft-blocks-uefi-bootloaders-enable-windows-secure-boot-bypass/

I'm not asking him, can they bypass ESET antivirus even if it is infected with a security vulnerability?

itman

itman 1,921

Posted
Posted
35 minutes ago, Yusuf Alp said:

I'm not asking him, can they bypass ESET antivirus even if it is infected with a security vulnerability?

Impossible to determine at this point.

First, a real malware exploit would need to exist in-the-wild. Next, the exploit would have to specifically target Eset installations. Finally, the exploit would need to be captured to test with.

itman

itman 1,921

Posted
Posted (edited)

I will say this about the noted UEFI bootloader vulnerability. I wouldn't "lose any sleep over it."

First, it's a Secure Boot bypass and as previously noted, many don't have Secure Boot enabled for any number of reasons.

Eset and most major AV vendors employ the Win 10/11 ELAM driver. This driver loads prior to other Win kernel mode drivers but after all kernel mode device drivers have loaded. The ELAM driver allows AV vendors to examine any drivers that load after it for malware status. As long as the AV vendor has a sig. for the malicious driver, you're protected.

Now if a malicious kernel mode device driver got installed, you're well ............. screwed.

Edited by itman
  • 2 weeks later...
itman

itman 1,921

Posted
Posted
2 hours ago, rotaru said:

It seems like Windows Defender ATP is doing it since 2020

Note the following:

Quote

Windows Defender System Guard helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like hypervisor-level attestation and Secure Launch, also known as Dynamic Root of Trust (DRTM), which are enabled by default in Secured-core PCs. The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.

The key phrase above is "Secure-core PC's." Think motherboards that include Intel vPro chipset.

rotaru

rotaru 15

Posted
Posted
10 hours ago, itman said:

The new UEFI scan engine in Microsoft Defender ATP expands on these protections by making firmware scanning broadly available.

I see it differently; the new UEFI scan engine....expands on these protections ...making broadly available

  • Most Valued Members
Nightowl

Nightowl 206

Posted
  • Most Valued Members
Posted

It scans the firmware , but yet cannot make any modifications or some sort of cleaning

To have a clean UEFI/BIOS , you need to flash one again from manufacturer website , otherwise it cannot be touched by any AV, not Microsoft's and not ESET's and not Kaspersky's

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...