What they also don't explain, is if you can stop these bootkits from installing, by blocking access to the MBR and by blocking driver installation?
Video shows that installation is done by simply copying file to EFI system partition and rebooting. So if you don't want to get infected by this UEFI Bootkit, you should not give malware access to EFI system partition nor copy this file yourself to EFI system partition. I'm not Windows expert, but I can strongly suspect that Windows standard user account does not have read-write access to this partition by default or it is not mounted by default at all.
Per Bleepingcomputer.com article; -EDIT- Here's the Eset who discovered the vulnerability article: https://www.welivesecurity.com/en/e...k-uefi-secure-boot-introducing-cve-2024-7344/
That's quite a lengthy article but sums things up from it's first reporting throughout the duration. I make special note of that it must be quite a list of devs who were certified with the 2011 MS stamp.
OK I see, thanks. I remember that the Petya ransomware tried to modify the MBR, but this bootkit attack is different. In other words, you need to block access to the EFI system partition. I believe SpySpelter 12 is capable of blocking access to boot data. And if you read the article, you can see that these bootkits often try to load a driver, this should still be detectable. https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
