Update Defender will now protect against malicious drivers with new "Vulnerable Driver Blocklist"

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,045
Windows Defender has very recently gained a new capability called "Microsoft Vulnerable Driver Blocklist". The feature is a part of Defender's Application Control option and will essentially protect devices from malicious drivers. Microsoft's Vice President of Enterprise and OS Security, David Weston, on Twitter, brought attention to the new feature.

The feature was added recently and in a blog post related to it, Microsoft has described how the new driver blocklist will help protect Windows devices:

The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
  • Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
  • Malicious behaviors (malware) or certificates used to sign malware
  • Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Microsoft says that it identifies such harmful drivers by working with its various vendor partners and adds these to its "ecosystem block policy". These are then applied to Hypervisor-protected code integrity (HVCI)-enabled devices or those with S mode. The feature is available on Windows 11, 10, and Server 2016 and higher.

Microsoft has good reason to be on high alert against such drivers. In the past, as well as more recently too, plenty of Windows and Windows-signed drivers have been found to be compromised.
 

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,045
@Andy Ful What's the main difference between this and the ASR rule?
I let Andy answer the technical details, but as far as I can see the ASR rule works on any machine with Microsoft Defender as active protection, but the Vulnerable Driver Blocklist wil only be enabled on those that are Hypervisor-protected code integrity (HVCI)-enabled, meaning AMD and Intel 7th generation processors and up.
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
@Andy Ful What's the main difference between this and the ASR rule?
It is based on HVCI (Hypervisor-Protected Code Integrity):

It is the strongest driver protection available on Windows. It works without any AV and will refuse to use the blacklisted drivers even if they are somehow installed in the system.
The ASR rule requires Defender with enabled real-time protection. This ASR rule will allow vulnerable drivers if they are already installed in the system.
 
Last edited:

plat1098

Level 27
Verified
Top poster
Well-known
Sep 13, 2018
1,656
This tells me Secure Boot and Core Isolation/Memory Integrity are not enough any more.

Given the increase in cyber-crime nowadays, I kind of welcome this development. Assuming it's available for Home users, bring it on.
 

silversurfer

Level 84
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,552
Last edited:

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Given the increase in cyber-crime nowadays, I kind of welcome this development. Assuming it's available for Home users, bring it on.

A very similar solution can be adopted via Microsoft Defender Application Control (it is done in Windows S). It also does not need Defender (although the name could suggest otherwise). But, the policy file must be created on Windows Pro (Enterprise, Education). After creating the policy file it will work on Windows Home too. One has to make two policy files: one in Audit mode and the second in block mode. The first is required to test if the policy will not block some drivers installed in the system.
Anyway, this way is not as convenient as Defender's ASR rules.
 

ticklemefeet

Level 26
Jan 31, 2018
1,549
A very similar solution can be adopted via Microsoft Defender Application Control (it is done in Windows S). It also does not need Defender (although the name could suggest otherwise). But, the policy file must be created on Windows Pro (Enterprise, Education). After creating the policy file it will work on Windows Home too. One has to make two policy files: one in Audit mode and the second in block mode. The first is required to test if the policy will not block some drivers installed in the system.
Anyway, this way is not as convenient as Defender's ASR rules.
Yes: Microsoft recommended driver block rules (Windows) - Windows security
 

plat1098

Level 27
Verified
Top poster
Well-known
Sep 13, 2018
1,656
Anyway, this way is not as convenient as Defender's ASR rules.
Oh wow, OK. You know, I'm going to inquire in the OSArmor thread at Wilders whether novirusthanks considers OSArmor to have parity with the driver block rules (with certain settings enabled). Meaning: will one be just as protected with OSArmor as with the MS Vulnerable Driver Blocklist?

As usual, enabling this is seemingly not friendly for a Windows Home user. Perhaps in the future, it will be. It certainly ought to be.