Windows Defender: Vulnerable Driver Blocklist protects against malicious or exploitable drivers

Vulnerable Driver Blocklist is a new security feature in Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer devices that protects against malicious or exploitable drivers.

Announced by Microsoft Vice President of Enterprise and Operating System Security David Weston, and TwitterMicrosoft’s Vulnerable Driver Block List is a new security feature that is enabled by default in Windows 10 on devices in S mode and on devices that have the Memory Integrity core isolation feature, which Microsoft may also refer to as Hypervisor Protected Code Integrity (HVCI), enabled.

Memory Integrity, or HVCI, uses Microsoft’s Hyper-V technology to protect Windows kernel-mode processes from malicious code injections. The feature wasn’t enabled on existing devices when it was first shipped, but appears to be enabled by default on devices with new Windows installations.

Some users have reported issues with certain devices with HVCI enabled and that disabling it resolved the issues they experienced.

The core idea behind the new protection feature is to maintain a list of drivers that Windows Defender will block because the drivers have at least one of the following attributes:

• Known security vulnerabilities that attackers can exploit to elevate privileges in the Windows kernel
• Malicious behavior (malware) or certificates used to sign malware
• Behavior that is not malicious but circumvents the Windows security model and can be exploited by attackers to elevate privileges in the Windows kernel

Microsoft cooperates with hardware vendors and OEMs to maintain the block list. Suspicious drivers may be submitted to Microsoft for analysis, and manufacturers may request that changes be made to drivers that are on the vulnerable block list, for example, after a problem is fixed.

Devices running Windows 10 in S mode and HVCI-enabled devices protect against these security threats once the feature is implemented on the devices.

Windows users and administrators can enable the Memory Integrity prerequisite as follows on non-S mode Windows 10 devices:

1. Select Start and then Settings, or use the keyboard shortcut Windows-I to open the Settings app.
2. In Windows 10, go to Update & Security > Windows Security. Select Open Windows Security.
3. In Windows 11, go to Privacy & Security > Windows Security > Select Open Windows Security.
4. Select Device Security in the sidebar on the left side.
5. Activate the “Core Isolation Details” link.
6. Change the Memory Integrity setting to On to enable the feature.
7. Reboot the device.

Windows administrators will see Microsoft’s new vulnerable driver block list on the Windows Security core isolation page once the feature is available. The feature can be turned on or off, and can also be managed through other means. David Weston notes that turning it on will allow for a more aggressive blocklist.

Microsoft states that it recommends enabling HVCI or using S mode, but administrators can also block drivers from the list using an existing Windows Defender Application Control policy. The documentation lists an XML file containing the locked drivers out of the box.

Now you: Is memory integrity enabled on your devices, if you use Windows Defender?

advertising