Windows Defender has very recently gained a new capability called "Microsoft Vulnerable Driver Blocklist". The feature is a part of Defender"s Application Control option and will essentially protect devices from malicious drivers. Microsoft"s Vice President of Enterprise and OS Security, David Weston, on Twitter, brought attention to the new feature.
The feature was added recently and in a blog post related to it, Microsoft has described how the new driver blocklist will help protect Windows devices:
The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Microsoft says that it identifies such harmful drivers by working with its various vendor partners and adds these to its "ecosystem block policy". These are then applied to Hypervisor-protected code integrity (HVCI)-enabled devices or those with S mode. The feature is available on Windows 11, 10, and Server 2016 and higher.
Microsoft has good reason to be on high alert against such drivers. In the past, as well as more recently too, plenty of Windows and Windows-signed drivers have been found to be compromised.