Can ESET Smart Security Premium Advanced Threat Protection Access BIOS?

[just 1]

Hello, my question is, can ESET Smart security premium's advanced threat protection access and detect "BIOS-UEFI-MBR-boot virus" virus-infested areas?

[Marcos 5,074]

A topic on the same subject has been discussed here recently, please refer to https://forum.eset.com/topic/34312-can-eset-smart-security-premium-access-the-bios-chip

[just 1]

2 hours ago, Marcos said:

Aynı konuyla ilgili bir konu yakın zamanda burada tartışıldı, lütfen https://forum.eset.com/topic/34312-can-eset-smart-security-premium-access-the-bios-chip adresine bakın.

Mr. @Marcos

That being said it can only be scanned, I'm asking if ESET's advanced threat protection (I think it was E live) can access and detect threats there?

And I didn't get an answer to that and there is no answer to the topic you sent me the link. I've asked about this in many places, all of them said they CAN SCAN, but when I ask about advanced threat protection, I get no response. Please tell me can ESET's advanced threat protection access and detect these locations ("BIOS-UEFI-MBR-boot virus")? If you can detect it, I would appreciate it if you tell me how to detect it.

[itman 1,659]

21 minutes ago, just said:

That being said it can only be scanned, I'm asking if ESET's advanced threat protection (I think it was E live) can access and detect threats there?

Clarify what you mean by advanced threat protection and what you expect it to do in regards to BIOS/UEFI/MBR malware.

21 minutes ago, just said:

Please tell me can ESET's advanced threat protection access and detect these locations ("BIOS-UEFI-MBR-boot virus")?

Yes. Eset can detect know malware in these locations.

21 minutes ago, just said:

If you can detect it, I would appreciate it if you tell me how to detect it.

Obviously, the exact details of how Eset detects this type of malware is proprietary. What is known is Eset performs scans of BIOS/UEFI/MBR when the following events occur; system startup, signature update, modules update, and a manually initialed default SMART scan.

Edited November 12, 2022 by itman

[itman 1,659]

One way Eset can detect BIOS/UEFI/MBR malware is that it conducts on going research activities in this area.

A recent example is how it discovered multiple vulnerabilities in select Lenovo new laptop/notebook models: https://www.neowin.net/news/eset-found-lenovo-windows-11-and-10-laptops-have-secure-boot-vulnerability-bios-update-out/ . This discovery enabled Lenovo to patch and issue firmware updates prior to these vulnerabilities being exploited en mass.

[just 1]

1 hour ago, itman said:

Clarify what you mean by advanced threat protection and what you expect it to do in regards to BIOS/UEFI/MBR malware.

I just want ESET's advanced threat protection to detect it

1 hour ago, itman said:

Yes. Eset can detect know malware in these locations.

Can detect OK but advanced threat protection can detect?

1 hour ago, itman said:

Obviously, the exact details of how Eset detects this type of malware is proprietary. What is known is Eset performs scans of BIOS/UEFI/MBR when the following events occur; system startup, signature update, modules update, and a manually initialed default SMART scan.

I'm not saying that, for example, "old BIOSes were not in file form, but UEFI BIOSes were in files (I'm not sure if there is such a thing)" is it because it detects advanced threat protection. I'm asking him. And as I said, you said scanning, but I'm not talking about scanning, I'm asking if it finds advanced threat protection even if I never scan those sections. @itman

[Marcos 5,074]

@Just, this is your another account. It is against this forum rules to create multiple accounts and to post the same multiple times. That said, we'll disable your second account "Yusuf Alp" and kindly ask you to respect this forum rules.

[itman 1,659]

15 minutes ago, just said:

I'm not talking about scanning, I'm asking if it finds advanced threat protection even if I never scan those sections.

I think we are getting close to what you are asking.

Eset can't detect an attempt to infect the BIOS/UEFI with malware since the Win OS blocks access to those areas once Windows is fully initialized. Eset has full read access to these areas during the Win boot initialization process and limited access afterwards.

Most current UEFI/BIOS malware is designed to bypass Win 10/11 secure boot protection for the purpose loading a malicious kernel mode driver. That is the malware only runs at system startup time. Given the UEFI/BIOS malware infection would have occurred after a system startup but again, it won't run until system startup time.

Finally if this is known malware, Eset will most likely have a signature detection of the externally delivered source process that creates the UEFI/BIOS malware. However, some UEFI/BIOS malware are installed by someone having physical access to the network/device and the like.

[just 1]

1 hour ago, itman said:

I think we are getting close to what you are asking.

Eset can't detect an attempt to infect the BIOS/UEFI with malware since the Win OS blocks access to those areas once Windows is fully initialized. Eset has full read access to these areas during the Win boot initialization process and limited access afterwards.

Most current UEFI/BIOS malware is designed to bypass Win 10/11 secure boot protection for the purpose loading a malicious kernel mode driver. That is the malware only runs at system startup time. Given the UEFI/BIOS malware infection would have occurred after a system startup but again, it won't run until system startup time.

Finally if this is known malware, Eset will most likely have a signature detection of the externally delivered source process that creates the UEFI/BIOS malware. However, some UEFI/BIOS malware are installed by someone having physical access to the network/device and the like.

I don't understand, during startup Win OS blocks access to this area but ESET has access to this area? If so, can these viruses block its access?

 

 

So when the system is on, does this "BIOS-UEFI-MBR-boot virus" viruses that I call deactivated? What harm can it do to the system or me until it is active only at the beginning and then becomes deactivated after inactive?

 

 

 

I didn't quite understand the last part though. @itman

[itman 1,659]

Here's Eset's article on its UEFI scanning protection: https://www.eset.com/afr/about/newsroom/press-releases-afr/corporate-blog/what-is-uefi-scanning-and-why-do-you-need-it-4/ . Below I have extracted the most relevant part of the article. Also, this is the extent of Eset UEFI malware protection.

Quote

From BIOS to UEFI Let’s begin with some basics. UEFI stands for Unified Extensible Firmware Interface. This is the part of your computer system that gets things started when you turn it on, the boot process. You might have learned that this was handled by something called BIOS or Basic Input/Output System, and in fact that used to be the case. However, today’s computers use UEFI instead, even though some still call it BIOS. Like many other parts of a computer system, UEFI can be attacked in an effort to gain unauthorized access to the system and its data. The role of a UEFI Scanner is to detect threats with the potential to launch before the operating system boots up. These threats, including rootkits and ransomware, target vulnerabilities in the UEFI and are highly persistent, even surviving after an operating system is reinstalled.

 

[just 1]

28 minutes ago, itman said:

Here's Eset's article on its UEFI scanning protection: https://www.eset.com/afr/about/newsroom/press-releases-afr/corporate-blog/what-is-uefi-scanning-and-why-do-you-need-it-4/ . Below I have extracted the most relevant part of the article. Also, this is the extent of Eset UEFI malware protection.

 

Here it says browser, I need eset eLive, because if that UEFI malware is FUD, shouldn't the UEFI browser also not find it? @itman

[itman 1,659]

As far as detection of UEFI based malware at creation time, that would require an anti-virus product that embeds itself within the UEFI environment. The only product that I know of that does this is an OEM based solution offered by Kaspersky: https://usa.kaspersky.com/antivirus-for-uefi . Of note is this is an "on chip" motherboard solution. That is the motherboard manufacture must "burn in" the Kaspersky AV code at chip manufacturing time.

With Eset ver. 16 products, Eset has partnered with Intel to include a like code solution in the context of Intel's hardware based Threat Detection Technology: https://www.securityweek.com/closer-look-intels-hardware-enabled-threat-detection-push . Of note is at present, only select Intel processors support this feature. Also, my understanding is Eset's embedded code is primarily directed to ransomware detection.

[itman 1,659]

7 minutes ago, just said:

Here it says browser, I need eset eLive, because if that UEFI malware is FUD, shouldn't the UEFI browser also not find it? @itman

I have absolutely no idea what you are referring to.

[just 1]

3 minutes ago, itman said:

I have absolutely no idea what you are referring to.

I'm saying that if the virus is encrypted in antivirus scans, the virus cannot be found, but advanced threat protection can find it, so I'm asking if ESET's advanced threat protection can do what this UEFI scanner can do. @itman

[itman 1,659]

2 minutes ago, just said:

I'm saying that if the virus is encrypted in antivirus scans, the virus cannot be found

The file is encrypted. The malware loads the encrypted file into memory, decrypts it, and then executes the code. Eset's HIPS deploys an advanced memory scanner that will detect the code if known to be malicious. The HIPS also employs select malware behavior detection methods for unknown malware and can label the code as suspicious.  

[just 1]

8 minutes ago, itman said:

The file is encrypted. The malware loads the encrypted file into memory, decrypts it, and then executes the code. Eset's HIPS deploys an advanced memory scanner that will detect the code if known to be malicious. The HIPS also employs select malware behavior detection methods for unknown malware and can label the code as suspicious.  

Okay, but isn't HIPS something like advanced threat protection anyway? @itman

[just 1]

Can you help me please? @itman

[just 1]

@itman

[Aryeh Goretsky 378]

Hello,

Let me see if I can provide some clarification here:

• Since the DOS-era, ESET's software has detected and removed threats from the Master Boot Record (MBR), which is the first sector on a hard disk drive (or SSD, these days) that contains some bootstrapping code, plus the partition table of data that tells the computer how the hard disk is formatted.  This works for both older MBR and newer GPT partitioned disks.  ESET's software also detects and removes threats from the boot sector (volume boot record) of each partition on a drive. 
  
  Coincidentally, the very first computer virus I ever dealt with on my very first day in the antivirus industry back in 1989 was a boot sector infector.  You can read about how I nearly bungled that here.
   
• ESET does detect threats in firmware.  The two types of firmware encountered are BIOS (Basic Input Output System) firmware, introduced with the IBM PC's Industry Standard Architecture in 1982, and UEFI (Universal Extensible Firmware Interface), which was introduced in 2005 by Intel to replace the older standard.
  
  Removing a threat from firmware requires rewriting it.  In the case of BIOS-based firmware, that is usually going to require going to the computer or systemboard manufacturer, getting a clean copy of the BIOS firmware image, and reflashing the BIOS.  For UEFI firmware, the process would be similar.
   
• A UEFI-based system often has an ESP (EFI System Partition) associated with it, sometimes just referred to as a system partition.  The ESP is a special partition that can contain boot loaders (handy if you have a drive partitioned to multiboot different operating systems) as well as additional device drivers needed by the firmware to initialize the computer's hardware that are too big to reside in the firmware itself.
  
  As far as removing a threat from the ESP goes, that is a little harder to say because we have seen so few of these types of malware.  Depending upon the infection we may be able to remove it, but it could require working with one of our specialists.  It might be quicker to delete the EFI System Partition and replace it with a new, uninfected one.

As far as preventing threats to these areas of system goes, ESET can indeed block them.  The proviso here is that the operating system would already need to be loaded and ESET's software running when the attack occurred.  The scenario for this kind of attack would be a dropper trying to write to to the MBR, VBR or ESP, or be trying to flash the BIOS or UEFI firmware with its malicious payload.

For more information about these types of threats and how ESET combats them, I would suggest becoming a regular reader of our blog, WeLiveSecurity.

Regards,

Aryeh Goretsky

 

Edited November 15, 2022 by Aryeh Goretsky
fixed formatting

[just 1]

18 minutes ago, Aryeh Goretsky said:

Hello,

Let me see if I can provide some clarification here:

• Since the DOS-era, ESET's software has detected and removed threats from the Master Boot Record (MBR), which is the first sector on a hard disk drive (or SSD, these days) that contains some bootstrapping code, plus the partition table of data that tells the computer how the hard disk is formatted.  This works for both older MBR and newer GPT partitioned disks.  ESET's software also detects and removes threats from the boot sector (volume boot record) of each partition on a drive. 
  
  Coincidentally, the very first computer virus I ever dealt with on my very first day in the antivirus industry back in 1989 was a boot sector infector.  You can read about how I nearly bungled that here.
   
• ESET does detect threats in firmware.  The two types of firmware encountered are BIOS (Basic Input Output System) firmware, introduced with the IBM PC's Industry Standard Architecture in 1982, and UEFI (Universal Extensible Firmware Interface), which was introduced in 2005 by Intel to replace the older standard.
  
  Removing a threat from firmware requires rewriting it.  In the case of BIOS-based firmware, that is usually going to require going to the computer or systemboard manufacturer, getting a clean copy of the BIOS firmware image, and reflashing the BIOS.  For UEFI firmware, the process would be similar.
   
• A UEFI-based system often has an ESP (EFI System Partition) associated with it, sometimes just referred to as a system partition.  The ESP is a special partition that can contain boot loaders (handy if you have a drive partitioned to multiboot different operating systems) as well as additional device drivers needed by the firmware to initialize the computer's hardware that are too big to reside in the firmware itself.
  
  As far as removing a threat from the ESP goes, that is a little harder to say because we have seen so few of these types of malware.  Depending upon the infection we may be able to remove it, but it could require working with one of our specialists.  It might be quicker to delete the EFI System Partition and replace it with a new, uninfected one.

As far as preventing threats to these areas of system goes, ESET can indeed block them.  The proviso here is that the operating system would already need to be loaded and ESET's software running when the attack occurred.  The scenario for this kind of attack would be a dropper trying to write to to the MBR, VBR or ESP, or be trying to flash the BIOS or UEFI firmware with its malicious payload.

For more information about these types of threats and how ESET combats them, I would suggest becoming a regular reader of our blog, WeLiveSecurity.

Regards,

Aryeh Goretsky

 

Hello

 

Thanks for your answer

 

1. So ESET can access both BIOS and UEFI and detect threats there? Is that certain?

 

2. So ESET can still access both MBR and GPT and its types and detect threats there? Is that certain?

 

3. ESET can access them ok, but can it only scan the places it can access, or can ESET's advanced threat protection also access and detect threats there? @Aryeh Goretsky

[Aryeh Goretsky 378]

Hello,

In response to your questions:

1. Yes.  I can't find any great mentions of BIOS-based malware, but this blog post on WeLiveSecurity from the end of 2011 mentions Mebromi, a BIOS-based rootkit.  ESET was the first to discover UEFI-based malware in the wild.  You can read more about that discovery in this blog post.
    
2. Yes.  It is not something commonly seen today, but discussions about various forms of bootloader malware can be found here, here, and here on WeLiveSecurity, ESET's searchable blog that provides news, commentary and the occasional  opinion on security.  From a scanning point of view, GPT (GUID Partition Table) is a kind of extension of the MBR specification, and is scanned, cleaned and protected the same way.
    
3. Yes.  ESET's programs provide advanced threat protection that can scan (access) these areas of the computer (MBR/GPT, boot sector/VBR, BIOS/UEFI firmware, the EFI system partition).  Threats in them can be detected and removed (this may require reflashing firmware or deleting and recreating the ESP).  Threats targeting all of these can be prevented by ESET's software while it is running.  For example, a computer running Microsoft Windows and ESET Smart Security Premium would detect malware that intended to rewrite the boot code or the firmware, and warn you about it.

For more information about the types of protective systems that are built into ESET's software, please see this page about ESET's technology:  English | Turkish

Regards,

Aryeh Goretsky
 

 

18 minutes ago, just said:

Hello

 

Thanks for your answer

 

1. So ESET can access both BIOS and UEFI and detect threats there? Is that certain?

 

2. So ESET can still access both MBR and GPT and its types and detect threats there? Is that certain?

 

3. ESET can access them ok, but can it only scan the places it can access, or can ESET's advanced threat protection also access and detect threats there? @Aryeh Goretsky

 

[Aryeh Goretsky 378]

Hello,

Quick update:  I spoke with one of the researchers involved with ESP (EFI System Partition) malware analysis, and he recommended removal and replacement of the entire partition to ensure the integrity of the computer.

Regards,

Aryeh Goretsky
 

[itman 1,659]

4 hours ago, Aryeh Goretsky said:

Since the DOS-era, ESET's software has detected and removed threats from the Master Boot Record (MBR), which is the first sector on a hard disk drive (or SSD, these days) that contains some bootstrapping code, plus the partition table of data that tells the computer how the hard disk is formatted.

I disagree with this statement.

Whereas Eset can detect known MBR malware, it can't remove it. There are numerous past forum postings from Eset users infected with MBR malware Eset detected. The recommended removal method has always been to manually run bootrec.exe /fixmbr .

In reality, Eset should be preventing modification of the MBR as select other AV solutions such as Kaspersky does.

[just 1]

7 hours ago, Aryeh Goretsky said:

Hello,

In response to your questions:

1. Yes.  I can't find any great mentions of BIOS-based malware, but this blog post on WeLiveSecurity from the end of 2011 mentions Mebromi, a BIOS-based rootkit.  ESET was the first to discover UEFI-based malware in the wild.  You can read more about that discovery in this blog post.
    
2. Yes.  It is not something commonly seen today, but discussions about various forms of bootloader malware can be found here, here, and here on WeLiveSecurity, ESET's searchable blog that provides news, commentary and the occasional  opinion on security.  From a scanning point of view, GPT (GUID Partition Table) is a kind of extension of the MBR specification, and is scanned, cleaned and protected the same way.
    
3. Yes.  ESET's programs provide advanced threat protection that can scan (access) these areas of the computer (MBR/GPT, boot sector/VBR, BIOS/UEFI firmware, the EFI system partition).  Threats in them can be detected and removed (this may require reflashing firmware or deleting and recreating the ESP).  Threats targeting all of these can be prevented by ESET's software while it is running.  For example, a computer running Microsoft Windows and ESET Smart Security Premium would detect malware that intended to rewrite the boot code or the firmware, and warn you about it.

For more information about the types of protective systems that are built into ESET's software, please see this page about ESET's technology:  English | Turkish

Regards,

Aryeh Goretsky
 

 

 

Hello

 

Thanks for your answer

 

1. But as far as I know, LEGACY BIOS without UEFI is not inaccessible because there is no file and its data is stored in the BIOS chip? @Aryeh Goretsky

[just 1]

4 hours ago, itman said:

I disagree with this statement.

Whereas Eset can detect known MBR malware, it can't remove it. There are numerous past forum postings from Eset users infected with MBR malware Eset detected. The recommended removal method has always been to manually run bootrec.exe /fixmbr .

In reality, Eset should be preventing modification of the MBR as select other AV solutions such as Kaspersky does.

It's enough for me to detect it already, I know that I can install a new BIOS by contacting technical support. @itman