New Update Defender will now protect against malicious drivers with new "Vulnerable Driver Blocklist"

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Windows Defender has very recently gained a new capability called "Microsoft Vulnerable Driver Blocklist". The feature is a part of Defender's Application Control option and will essentially protect devices from malicious drivers. Microsoft's Vice President of Enterprise and OS Security, David Weston, on Twitter, brought attention to the new feature.

The feature was added recently and in a blog post related to it, Microsoft has described how the new driver blocklist will help protect Windows devices:

The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
  • Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
  • Malicious behaviors (malware) or certificates used to sign malware
  • Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Microsoft says that it identifies such harmful drivers by working with its various vendor partners and adds these to its "ecosystem block policy". These are then applied to Hypervisor-protected code integrity (HVCI)-enabled devices or those with S mode. The feature is available on Windows 11, 10, and Server 2016 and higher.

Microsoft has good reason to be on high alert against such drivers. In the past, as well as more recently too, plenty of Windows and Windows-signed drivers have been found to be compromised.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
@Andy Ful What's the main difference between this and the ASR rule?
I let Andy answer the technical details, but as far as I can see the ASR rule works on any machine with Microsoft Defender as active protection, but the Vulnerable Driver Blocklist wil only be enabled on those that are Hypervisor-protected code integrity (HVCI)-enabled, meaning AMD and Intel 7th generation processors and up.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful What's the main difference between this and the ASR rule?
It is based on HVCI (Hypervisor-Protected Code Integrity):

It is the strongest driver protection available on Windows. It works without any AV and will refuse to use the blacklisted drivers even if they are somehow installed in the system.
The ASR rule requires Defender with enabled real-time protection. This ASR rule will allow vulnerable drivers if they are already installed in the system.
 
Last edited:

plat

Level 29
Top Poster
Sep 13, 2018
1,793
This tells me Secure Boot and Core Isolation/Memory Integrity are not enough any more.

Given the increase in cyber-crime nowadays, I kind of welcome this development. Assuming it's available for Home users, bring it on.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Given the increase in cyber-crime nowadays, I kind of welcome this development. Assuming it's available for Home users, bring it on.

A very similar solution can be adopted via Microsoft Defender Application Control (it is done in Windows S). It also does not need Defender (although the name could suggest otherwise). But, the policy file must be created on Windows Pro (Enterprise, Education). After creating the policy file it will work on Windows Home too. One has to make two policy files: one in Audit mode and the second in block mode. The first is required to test if the policy will not block some drivers installed in the system.
Anyway, this way is not as convenient as Defender's ASR rules.
 
F

ForgottenSeer 69673

A very similar solution can be adopted via Microsoft Defender Application Control (it is done in Windows S). It also does not need Defender (although the name could suggest otherwise). But, the policy file must be created on Windows Pro (Enterprise, Education). After creating the policy file it will work on Windows Home too. One has to make two policy files: one in Audit mode and the second in block mode. The first is required to test if the policy will not block some drivers installed in the system.
Anyway, this way is not as convenient as Defender's ASR rules.
Yes: Microsoft recommended driver block rules (Windows) - Windows security
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Anyway, this way is not as convenient as Defender's ASR rules.
Oh wow, OK. You know, I'm going to inquire in the OSArmor thread at Wilders whether novirusthanks considers OSArmor to have parity with the driver block rules (with certain settings enabled). Meaning: will one be just as protected with OSArmor as with the MS Vulnerable Driver Blocklist?

As usual, enabling this is seemingly not friendly for a Windows Home user. Perhaps in the future, it will be. It certainly ought to be.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Meaning: will one be just as protected with OSArmor as with the MS Vulnerable Driver Blocklist?
No. OSA can protect only by the driver on the kernel level which is not as strong as HVCI.
But for home users, this probably does not matter.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top