You will agree that an operating system’s primary function is to provide a safe execution environment where different applications can run, safely. This necessitates the requirement of a basic framework for uniform program execution to use the hardware and access system resources in a secure manner. The Windows Kernel provides this basic service in all but the most simplistic operating systems. To enable these fundamental capabilities for the operating system, several portions of the OS initialize and run at system boot time.
In addition to this, there are other features that are capable of offering initial protection. These include:
- Windows Defender – It offers comprehensive protection for your system, files, and online activities from malware and other threats. The tool makes use of signatures for detecting and quarantining apps, known to be malicious in nature.
- SmartScreen Filter – It always issues warning to users before enabling them to run an untrustworthy app. Here, it is important to bear in mind that these features are capable of offering protection only after Windows 10 starts. Most modern malware—and bootkits in particular, can run even before Windows starts, thereby lying hidden and bypassing operating system security, completely.
Fortunately, Windows 10 provides protection even during startup. How? Well, for this, we first need to understand what Rootkits are and how they work. Thereafter, we can delve deeper into the subject and find how Windows 10 protection system works.
Rootkits are a set of tools used for hacking a device by a cracker. The cracker tries installing a rootkit on a computer, first by obtaining user-level access, either by exploiting a known vulnerability or cracking a password and then retrieving the required information. It conceals the fact that an operating system has been compromised by replacing vital executables.
Different types of rootkits run during different phases of the startup process. These include,
- Kernel rootkits – Developed as device drivers or loadable modules, this kit is capable of replacing a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
- Firmware rootkits – These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can kick start before Windows wakes up.
- Driver rootkits – At the driver level, applications can have full access to the system’s hardware. So, this kit pretends to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
- Bootkits – It is an advanced form of rootkits that takes the basic functionality of a rootkit and extends it with the ability to infect the Master Boot Record (MBR). It replaces the operating system’s bootloader so that the PC loads the Bootkit before the operating system.
Windows 10 has 4 features that secure the Windows 10 boot process and avoid these threats.
Securing the Windows Boot Process
Secure Boot is a security standard developed by members of the PC industry to help you protect your system from malicious programs by not allowing any unauthorized applications to run during the system start-up process. The feature makes sure that your PC boots using only software that is trusted by the PC manufacturer. So, whenever your PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are verified, the PC boots and the firmware gives control to the operating system.
This bootloader uses the Virtual Trusted Platform Module (VTPM) to verify the digital signature of the Windows 10 kernel before loading it which in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been altered or changed to any extent, the bootloader detects it and refuses to load it by recognizing it as a corrupted component. In short, it provides a chain of trust for all the components during boot.
Early Launch Anti-Malware
Early launch anti-malware (ELAM) provides protection for the computers present in a network when they start up and before third-party drivers initialize. After Secure Boot has successfully managed to protect the bootloader and Trusted Boot has finished/completed the task safeguarding the Windows kernel, the role of ELAM begins. It closes any loophole left for malware to start or initiate infection by infecting a non-Microsoft boot driver. The feature immediately loads a Microsoft or non-Microsoft anti-malware. This helps in establishing a continuous chain of trust established by Secure Boot and Trusted Boot, earlier.
It has been observed that PCs infected with rootkits continue to appear healthy, even with anti-malware running. These Infected PCs if connected to a network in an enterprise pose a serious risk to other systems by opening routes for the rootkits to access vast amounts of confidential data. Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process by using the following processes.
- Running non-Microsoft remote attestation client – The trusted attestation server sends the client a unique key at the end of every startup process.
- The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
- The TPM uses the unique key to digitally sign the log recorded by the UEFI. The client then sends the log to the server, possibly with other security information.
With all this information at hand, the server can now find whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.
Read the full details on Microsoft.