The chance of getting hit by a bioskit is quite low especially when the malware has to be "compatible" with the BIOS to exploit it, not the everyday malware.
Eset responded that the feature will be available in the upcoming ver. 11 which hasn't been released yet. So will have to wait till it is released for further operational details. I suspect it will be part of the realtime scanner startup scan that runs by default at boot time. Also, Eset has Device protection that scans any external device upon connection. So it might be included within that module. Eset's Device protection has some elaborate configuration options which allow the device to be completely locked down if so desired. Another possibility is to force load its device driver prior to any other driver that loads at boot time and use that driver to scan the BIOS and other drivers as they load.
Article on Intel's ACM technology here: https://www.cylance.com/en_us/blog/black-hat-vegas-where-the-guardians-of-the-bios-are-failing.html Blackhat presentation here: https://www.blackhat.com/us-17/brie...s-where-the-guardians-of-the-bios-are-failing
Suspect Eset will be interfacing with Window SMM Security Mitigation Table aka WSMT which was implemented in Win 10 1607. Interesting read on WSMT here: http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx
I am closely following this thread and have what is likely a pervasive question for others as well. I/we would all love to secure the code if we could derive a way to run it independently of ESET. A free standing script-program-code that could accurately examine the firmware on our machine for any invasion or malware. I have always been concerned with "things" messing with my start up as a way to sneak aboard. This is one reason I mount all my linux systems with a removable /boot flash drive. Then I extract the flash before heading to any internet or workspace. The firmware would be one step back even from /boot files. [popcorn - with butter]
I think that if somebody wants to be 100% sure there is legitimate firmware inside his motherboard, he/she should reprogram hardware with spi flash programmer or something similar. I didn't do that, though. Diagnosing firmware being on the ring 0 or ring 3 level is just a cat-and-mouse game and attackers are going to be usually one step ahead in this game.
Kaspersky has a product that has been in existence for a few years: https://www.kaspersky.com/about/pre...s-world-s-first-anti-malware-product-for-uefi and https://usa.kaspersky.com/antivirus-for-uefi . As far as I am aware of, it is a ROM chip based solution Kaspersky licenses to its OEM partners. Primarily designed for security sensitive corp. environments. Eset is the first to offer UEFI BIOS protection as a software solution integrated in its retail and endpoint products. -EDIT- With reference to the Kaspersky "red herring" thread if I wanted an undetectable intelligence hack, this is where I would go. Since OEM's are actually "burning" the code to the ROM chip, nothing to stop them from adding other assorted spying goodies at the same time.
Eset v11 English ver. has been release and I just recently installed it. Eset tech details on it still don't exist and in reality may never be published. Eset is "tight lipped" on its proprietary technology. For example, very few details exist on its botnet protection. There is some info here that shows the alert you will receive if UEFI malware is detected: https://support.eset.com/kb6564/#UEFIScanner . Notable is it is a scanner only and will not remove any UEFI BIOS malware. I also found that Intel Security aka now McAfee again, developed a UEFI BIOS scanner that they released as open source on GitHub as part of Chipsec: https://github.com/chipsec/chipsec . This utility will compare a saved ver. of your UEFI BIOS to the current ver..
It's worth to distinguish between bootkit and firmware implants. Given that UEFI is standard (not to mention that most commercial implementations share the same parts of open-source reference UEFI implementation) bootkits can be not so victim-specific.
Using a motherboard with a dual BIOS is great way to recover from UEFI malware: https://www.gigabyte.com/microsite/55/tech_081226_dualbios.htm Also, I wouldn't use a in-Windows BIOS flash if infected. Make sure you have a BIOS backup a USB stick you can flash from.
I wouldn't be so sure, there are not that many motherboard manufacturers, I think their BIOS versions span entire product lines. Anyone capable enough could modify the downloadable flash bios updates from all of them. The attack could consist of an initial malware infection that first compromises the system, then queries that system for its motherboard and bios info then downloads the appropriate poison bios version from the malware creators server and installs it. A nation state actor would have the resources to develop such an attack.
In theory you are right but in practice, i don't believe you or i would be a target worth of the cost developing such malware.
No, we wouldn't, but once it had been developed, to be used on who or what was considered to be a high value target, the cost of using it thereafter on others would be minimal.
I don't know how it worked when BIOS was around, but actually UEFI can refuse to update because there could be some issues with digital signature of update. Infected UEFI could use that to justify not to update itself with legitimate UEFI provided by manufacturer.
Given the lack of trust and asymmetry in the costs that are borne, this is a huge problem - automated attack tools based on grotty selectors and minimal oversight. Even worse, there's a lifetime to these things where their unique/NOBUS value becomes degraded (maybe 6 months now?) - and from there it progresses to other nation states, nasty attack tool vendors, to virtual open hacker source.
Google is trying to replace some of it's firmware inside servers with more trusted open source components. Slides from Embedded European Linux Conference: https://schd.ws/hosted_files/osseu17/84/Replace UEFI with Linux.pdf Page 12: