Windows Defender attacks some non-Windows UEFI images

Starting in late 2013, Microsoft Windows Defender, a background malware scanner that gets updates via Windows Update, started looking for UEFI boot managers/loaders/tools that are not signed by Microsoft, and started deleting them. This impacts booting non-Windows OSes, Linux, FreeBSD, Android, etc. Windows Defender gives users no control to override/configure anything. Microsoft can update the scanner to delete new files in the future, when Windows Update refreshes it. Presumably any UEFI image that isn’t signed by Microsoft is likely a candidate.  I am unclear what “UEFI module” is they describe in the documentation (see below), I presume this means any UEFI Application/Service/Driver. The list of OEM contacts the Microsoft documentation points to for these “UEFI modules” is a very old list, doesn’t cover most UEFI Forum Members. Then again, some of the main targets of Defenders deletions are likely not OEMs nor UEFI Forum Members, but open source UEFI tools.

This feature is useful if you have a Windows system and you only run Windows, and never want to run anything other than Windows. This feature is not useful if you ever wish to dual-boot a non-Windows OS alongside Windows, since Windows Defender will destroy the other OS’s boot loader.

The workaround is to never dual-boot anything alongside Windows. OEMs who want to build non-Windows machines have to risk Windows Defender making their systems unbootable, if any customer tries to dual-boot Windows on it. I wonder, if an OEM is ever capable enough to ship a Linux system with UEFI Secure Boot setup to boot Linux, without Microsoft keys, would Windows Defender properly check the UEFI keys and delete the Windows boot manager, which is unsigned by that firmware? 🙂

More information:

Microsoft security advisory: Update to revoke noncompliant UEFI boot loader modules
https://support.microsoft.com/en-us/kb/2871690
https://technet.microsoft.com/library/security/2871690

Excerpts:

“Microsoft is announcing the availability of an update for Windows 8 and Windows Server 2012 that revokes the digital signatures for nine private, third-party UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. At the time of this release, these UEFI modules are not known to be available publicly. Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules as part of ongoing efforts to protect customers. This action only affects systems running Windows 8 and Windows Server 2012 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.”

“On affected releases of Microsoft Windows that are running on UEFI firmware with UEFI Secure Boot enabled, the update revokes the digital signatures for specific UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked.”

“For more information about your UEFI module, contact the UEFI module supplier. This might include the system vendor, the plug-in card vendor, or other UEFI software vendors such as UEFI backup and restore solutions, UEFI anti-malware, and so on.”

“Customers should update their UEFI modules to compliant versions prior to installation of this update. Customers who apply this update on a system with a non-compliant UEFI module risk putting the system into a non-bootable state. Microsoft recommends that all customers apply this update after ensuring they are running up-to-date UEFI modules.”

“Customers who want to continue using non-compliant UEFI modules for their own purposes, such as for testing, can do so by disabling Secure Boot in their system’s BIOS configuration menu.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s