Jump to content

Need help to scan UEFI


Go to solution Solved by itman,

Recommended Posts

Hi, I recently assembled my own PC using a supposedly brand new motherboard but one that doesn't come sealed in any way when delivered. So I got worried and came across Eset as one of the few AVs that can scan UEFI or BIOS for viruses/malware. But I'm having some trouble using the scan. It seems to be unable to scan the BIOS/UEFI files as it can't open the necessary files for scanning. I read some other posts in this forum regarding the "unable to open" log messages but the answers given were not clear to me as a non techie person.

I tried scanning the UEFI through "Custom Scan" -> "Boot sectors/UEFI" and ran the scan as Administrator. Below is the resulting log:

 

Log
Scan Log
Version of detection engine: 26208 (20221105)
Date: 6/11/2022  Time: 5:09:28 pm
Scanned disks, folders and files: Boot sectors/UEFI
\Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD - unable to open [4]
\Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD.LOG - unable to open [4]
Number of scanned objects: 141
Number of detections: 0
Time of completion: 5:09:28 pm  Total scanning time: 0 sec (00:00:00)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.
 

My questions are the following:

-are the files listed in the log as unopenable supposed to be unopenable or am I using the scan wrong?

-If the scan is unable to open those files detailed in above log does it mean that my BIOS/UEFI is clean?

-If the scan is able to open those unopenable files above does it mean that my BIOS/UEFI is compromised in some way?

-according to the following link Eset will be able to scan those unopenable files during startup and shut down but I can't find the logs of those scans happening during startup or shutdown. Why? (link: https://support.eset.com/en/kb2155-error-notifications-in-computer-scan-log)

Link to comment
Share on other sites

  • Administrators

This is normal on every computer:

image.png

Even if you scan files or other objects as an administrator, not all of them can be accessed, e.g. because the OS is exclusively using them. If they are locked for an antivirus, they are locked also for malware.

Link to comment
Share on other sites

Thank you for posting. But the answer you have given is similar to other threads but the meaning or implication of the answer is not clear to me that's why I started this new post. When you said "If they are locked for an antivirus, they are locked also for malware" can I then safely conclude based on that statement and my log above that my BIOS/UEFI is clean?

Edited by Ueseter
Clarity
Link to comment
Share on other sites

  • Most Valued Members
37 minutes ago, Ueseter said:

Thank you for posting. But the answer you have given is similar to other threads but the meaning or implication of the answer is not clear to me that's why I started this new post. When you said "If they are locked for an antivirus, they are locked also for malware" can I then safely conclude based on that statement and my log above that my BIOS/UEFI is clean?

A lot of files are locked so won't scan.  As Marcos shows in the screenshot the BCD logs are always locked.

If you want to be extra safe, flash the BIOS. One issue is even if an AV found a virus on the BIOS/UEFI it can't remove, you need to flash still 

Link to comment
Share on other sites

This article shows two ways the BCD can be modified by malware: https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/ .

Here's an example of a UEFI bootkit: https://duo.com/decipher/new-especter-uefi-bootkit-discovered. Here's Eset's detailed analysis of the bootkit: https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ . At the end of the article are IOC's for the bootkit along with Eset's detection's of its various component's.

Bottom line here is Eset will detect known UEFI malware at system startup time. I wouldn't be concerned about Eset not being able to scan the BCD via an off-line scan.

Edited by itman
Link to comment
Share on other sites

3 hours ago, peteyt said:

A lot of files are locked so won't scan.  As Marcos shows in the screenshot the BCD logs are always locked.

If you want to be extra safe, flash the BIOS. One issue is even if an AV found a virus on the BIOS/UEFI it can't remove, you need to flash still 

I did update the BIOS firmware but since I got no CD-Rom drive or USB with write-protection I loaded a USB with most updated BIOS file and set it to read-only. I also checked the SHA256 hash code of the BIOS file on the USB before and after I updated the BIOS to make sure the BIOS file remained unchanged. But stupidly the SSD was connected to the motherboard during bios update though the SSD was brand new. Do you think that could wipe any BIOS viruses? I had to improvise lol

I'd rather not take apart my newly assembled PC. I'm happy enough nothing short circuited on my first attempt.

Edited by Ueseter
clarity
Link to comment
Share on other sites

1 hour ago, itman said:

Bottom line here is Eset will detect known UEFI malware at system startup time. I wouldn't be concerned about Eset not being able to scan the BCD via an off-line scan.

The first sentence quoted above is the exact sweet answer I was looking for. But just to clarify on the second sentence, the offline scan is referring to the scan I did right? (you're trying to differentiate what I did from ESET's online scan offering?)

And thanks for the links. They're way above my head but I did learn some interesting things from it.

Link to comment
Share on other sites

  • Solution
2 minutes ago, Ueseter said:

the offline scan is referring to the scan I did right?

Correct.

Also if your concerned about motherboard firmware tampering from an external source prior to your receipt of the product, you should re-flash the BIOS with the latest update available from the motherboard manufacturer web site as previously posted. This BTW is S.O.P. when installing a new motherboard.

Link to comment
Share on other sites

  • 1 month later...

I have to ask ... if the EFI System Partition is always going to be locked and unreadable, then what is the point of offering a UEFI scan as an option?

Surely this option needs to be removed and replaced with a warning that the only way to secure the UEFI is to re-flash it.

Seems odd to include a feature that has no way to actually be used.

UEFI option.jpg

UEFI results.jpg

Link to comment
Share on other sites

5 hours ago, Slated said:

I have to ask ... if the EFI System Partition is always going to be locked and unreadable, then what is the point of offering a UEFI scan as an option?

Here's an Eset article on a UEFI based bookit it discovered a while back: https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ . Obviously, Eset can and does scan the Win system recovery partition where the UEFI is located.

Next is the fact that UEFI based malware is extremely rare in occurrence. When it does occur, the targeted device has been previously compromised to bypass Win Secure Boot processing which is the primary protection against UEFI based malware.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...