Windows Defender: Vulnerable Driver Blocklist protects against malicious or exploitable drivers
Vulnerable Driver Blocklist is a new security feature of Windows Defender on Windows 10, Windows 11 and Windows Server 2016 or newer devices that protects against malicious or exploitable drivers.
Announced by Microsoft's Vice President of Enterprise and OS Security, David Weston, on Twitter, the Microsoft Vulnerable Driver Blocklist is a new security feature that is enabled by default on Windows 10 in S mode devices and on devices that have the Core Isolation feature Memory Integrity, which Microsoft may also refer to as Hypervisor-protected code integrity (HVCI), enabled.
Memory integrity, or HVCI, makes use of Microsoft's Hyper-V technology to protect Windows kernel-mode processes against malicious code injections. The feature was not enabled on existing devices when it first shipped, but it appears to be enabled by default on devices with new installations of Windows.
Some users reported issues with certain devices with HVCI enabled, and that disabling it resolved the issues that they experienced.
The core idea behind the new protective feature is to maintain a list of drivers that will be blocked by Windows Defender because the drivers have at least one of the following attributes:
- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Microsoft cooperates with hardware vendors and OEMs to maintain the blocklist. Suspected drivers may be submitted to Microsoft for analysis and manufacturers may request that changes are made to drivers that are on the vulnerable blocklist, e.g., after patching an issue.
Devices that run Windows 10 in S mode and devices with HVCI enabled protect against these security threats once the feature is rolled out to devices.
Windows users and administrators may enable the Memory Integrity prerequisite in the following way on non-Windows 10 S-mode devices:
- Select Start and then Settings, or use the keyboard shortcut Windows-I to open the Settings application.
- On Windows 10, go to Update & Security > Windows Security. Select Open Windows Security.
- On Windows 11, go to Privacy & Security > Windows Security > Select Open Windows Security.
- Select Device Security from the sidebar on the left side.
- Activate the "core isolation details" link.
- Toggle the Memory Integrity setting to On to enable the feature.
- Restart the device.
Windows administrators will see the new Microsoft Vulnerable Driver Blocklist on the Core isolation page of Windows Security once the feature becomes available. The feature can be toggled on or off, and also managed through other means. David Weston notes that turning it on will enable a more aggressive blocklist.
Microsoft states that it recommends enabling HVCI or using S mode, but that administrators may also block the drivers on the list using an existing Windows Defender Application Control policy. The documentation lists an XML file that contains the blocked drivers ready for use.
Now You: is memory integrity enabled on your devices, if you use Windows Defender?Advertisement