English Community

Software and Operating SystemSecurity & Malware
All Forum Topics
Options

9 Posts

09-27-2018

US

12 Signins

131 Page Views

  • Posts: 9
  • Registered: ‎09-27-2018
  • Location: US
  • Views: 131
  • Message 1 of 16

Lenovo Yoga 920 does not meet Microsoft's standard hardware security requirements

2018-09-27, 18:06 PM

The first UEFI rootkit has been spotted in the wild, called LoJax (**bleep**ized/trojanized version of Absolute Software's LoJack) and it's apparently very nasty if it compromises your computer - the malware can survive Windows reinstallation, and replacement of the motherboard is the only way to make sure it's gone.  Read more from security vendor ESET here: 

 

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

 

So, this alarming news lead me to look at my protection against LoJax.  In Windows/Defender Device Security Center, I see that my Yoga does not meet standard hardware security requirements set by Microsoft.  I'm curious if other Lenovo devices (thinkpads, etc) show the same result under the Defender Device Security Center.  There are four requirements (well, actually six) to meet standard according to MS:

Your device meets the requirements for standard hardware security

This means your device supports memory integrity and core isolation and also has:

  • TPM 2.0 (also referred to as your security processor)
  • Secure boot enabled
  • DEP
  • UEFI MAT

 

Without me configuring anything manually, my device had Secure Boot enabled and it has a TPM 2.0 chip also enabled by default.  My question and reason for the post -  which of the other two security hardware requirements (DEP or UEFI MAT) does this computer not meet?  There's no indication in Windows Defender Device Security Center. 

 

Posting to a MS forum about these questions, a tech referred to more documentation for OEM's regarding security requirements and said 'it's the responsibility of the OEM manufacturer to make sure they're meeting these minimum requirements'.  

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-security-considerations

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

 

Lenovo - the question remains.  How do I make my Yoga 920 'highly secure', per Microsoft's recommendations?

As of today, I have no way to know for certain if my device is vulnerable to LoJax and even if the hacker groups responsible for LoJax FancyBear/Strontium etc. aren't targeting me specifically I would think this is a major concern for anyone running Lenovo devices for personal or business use.

Solved! See the solution
Reply
Options

9 Posts

09-27-2018

US

12 Signins

131 Page Views

  • Posts: 9
  • Registered: ‎09-27-2018
  • Location: US
  • Views: 131
  • Message 2 of 16

Post removed regarding Yoga 920 not meeting Microsoft's recommended hardware security requirements?

2018-09-27, 18:29 PM

Interesting....just spent quite a bit of time composing a post about my Lenovo 920 apparently not meeting Microsoft's hardware requirements, and the post has disappeared.  Did a moderator from Lenovo remove it?

 

LoJax is a dangerouse and difficult to remove malware spotted in the wild now, and I'd like to know how my Yoga 920 can at least meet Microsoft's recommended hardware requirements. 

 

Microsoft Documentation: requirements for highly secure OEM devices

 

Windows Defender Device Security Center - Lenovo Yoga 920 does not meet standard security

 

 

ESET whitepaper: LoJax Malware Spotted in the Wild

 

 

 

 

Reply
Options

9 Posts

09-27-2018

US

12 Signins

131 Page Views

  • Posts: 9
  • Registered: ‎09-27-2018
  • Location: US
  • Views: 131
  • Message 3 of 16

recommendations for preventing UEFI rootkit attack now found in wild

2018-09-27, 18:41 PM

What are Lenovo's specific recommendations around prevention of UEFI rootkit malware attacks? 

 

LoJax: first UEFI rootkit found in the wild

 

 

Reply
Options

8504 Posts

01-13-2008

US

77388 Signins

2201169 Page Views

  • Posts: 8504
  • Registered: ‎01-13-2008
  • Location: US
  • Views: 2201169
  • Message 4 of 16

Re: Post removed regarding Yoga 920 not meeting Microsoft's recommended hardware security requiremen

2018-09-27, 19:37 PM

 wrote:

Interesting....just spent quite a bit of time composing a post about my Lenovo 920 apparently not meeting Microsoft's hardware requirements, and the post has disappeared.  Did a moderator from Lenovo remove it?

,,,

Nope.  The automated spam filters can be overly aggressive at times.  Dug the original post out of the bin and restored it above.  (I thinks that's the one to which you refer...)

 

Z.


The large print: please read the Community Participation Rules before posting. Include as much information as possible: model, machine type, operating system, and a descriptive subject line. Do not include personal information: serial number, telephone number, email address, etc.


The fine print: I do not work for, nor do I speak for Lenovo. Unsolicited private messages will be ignored - questions and answers belong in the forum so that others may contribute and benefit. ... GeezBlog

 

Communities: English Deutsch Español Português Русскоязычное Česká Slovenská Українська Polski Türkçe Moto English

Reply
Options

9 Posts

09-27-2018

US

12 Signins

131 Page Views

  • Posts: 9
  • Registered: ‎09-27-2018
  • Location: US
  • Views: 131
  • Message 5 of 16

Re: Lenovo Yoga 920 does not meet Microsoft's standard hardware security requirements

2018-09-27, 20:30 PM

Update - if Secure Boot is enabled in Windows Defender Device Security Center (by default it appears that it is), then you are protected against unsigned code execution prior to UEFI startup.   Therefore, protected against LoJax.  At least that's how I interpret ESET's recommendation for preventing this UEFI rootkit.

Reply
Options

3906 Posts

12-11-2015

US

4399 Signins

49672 Page Views

  • Posts: 3906
  • Registered: ‎12-11-2015
  • Location: US
  • Views: 49672
  • Message 6 of 16

Re: recommendations for preventing UEFI rootkit attack now found in wild

2018-09-27, 22:10 PM

Per the ESET write-up, the enabling of Secure Boot prevents the execution of the unsigned driver used by this and any other UEFI rootkit threats. so the best advice is to always ensure that Secure Boot is enabled in the BIOS settings of your system.

 

Cheers,

 

0 person found this solution to be helpful.

This helped me too

Reply
Options

3852 Posts

12-02-2007

US

9040 Signins

189443 Page Views

  • Posts: 3852
  • Registered: ‎12-02-2007
  • Location: US
  • Views: 189443
  • Message 7 of 16

Re: recommendations for preventing UEFI rootkit attack now found in wild

2018-09-30, 11:20 AM

Hello,

 

Here's how to enable DEP (Data Execution Prevention) under Windows 10, step-by-step:

 

1.  Run the System Properties (filename: SYSDM.CPL) Control Panel Applet.  The System Properties window will appear.

2.  Click or tap on the Advanced tab to view the Advanced properties.

3.  In the Performance section, click or tap on the Settings button.  The Performance Options window will appear.

4.  Click or tap on the Data Execution Prevention tab to view the current DEP settings.

5.  Select the Turn on DEP for all programs and services except those I select: option.  This will enable DEP on the computer for all programs, except the one(s) you have added via the Add button.

6.  Click on the Apply button to commit the changes, and then the OK button to close the dialog.

 

If at any time you need to reconfigure DEP, you can get at it through these same instructions.

 

Regards,

 

Aryeh Goretsky

 

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English


Need an answer, fast? Try using Browser Search to find it in the Lenovo and Moto Community
Reply
Options

7 Posts

10-04-2018

US

10 Signins

156 Page Views

  • Posts: 7
  • Registered: ‎10-04-2018
  • Location: US
  • Views: 156
  • Message 8 of 16

Re: Lenovo Yoga 920 does not meet Microsoft's standard hardware security requirements

2018-10-04, 16:20 PM

 wrote:

The first UEFI rootkit has been spotted in the wild, called LoJax (**bleep**ized/trojanized version of Absolute Software's LoJack) and it's apparently very nasty if it compromises your computer - the malware can survive Windows reinstallation, and replacement of the motherboard is the only way to make sure it's gone.  Read more from security vendor ESET here: 

 

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

 

So, this alarming news lead me to look at my protection against LoJax.  In Windows/Defender Device Security Center, I see that my Yoga does not meet standard hardware security requirements set by Microsoft.  I'm curious if other Lenovo devices (thinkpads, etc) show the same result under the Defender Device Security Center.  There are four requirements (well, actually six) to meet standard according to MS: 8 Ball Pool

Your device meets the requirements for standard hardware security Google Hangouts

This means your device Omegle supports memory integrity and core isolation and also has:

  • TPM 2.0 (also referred to as your security processor) 
  • Secure boot enabled
  • DEP
  • UEFI MAT

 

Without me configuring anything manually, my device had Secure Boot enabled and it has a TPM 2.0 chip also enabled by default.  My question and reason for the post -  which of the other two security hardware requirements (DEP or UEFI MAT) does this computer not meet?  There's no indication in Windows Defender Device Security Center. 

 

Posting to a MS forum about these questions, a tech referred to more documentation for OEM's regarding security requirements and said 'it's the responsibility of the OEM manufacturer to make sure they're meeting these minimum requirements'.  

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-security-considerations

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

 

Lenovo - the question remains.  How do I make my Yoga 920 'highly secure', per Microsoft's recommendations?

As of today, I have no way to know for certain if my device is vulnerable to LoJax and even if the hacker groups responsible for LoJax FancyBear/Strontium etc. aren't targeting me specifically I would think this is a major concern for anyone running Lenovo devices for personal or business use.


Refresh - if Secure Boot is empowered in Windows Defender Device Security Center (as a matter of course it gives the idea that it is), at that point you are ensured against unsigned code execution before UEFI startup. In this manner, ensured against LoJax. At any rate that is the means by which I translate ESET's proposal for keeping this UEFI rootkit.

Reply
Options

9 Posts

09-27-2018

US

12 Signins

131 Page Views

  • Posts: 9
  • Registered: ‎09-27-2018
  • Location: US
  • Views: 131
  • Message 9 of 16

Re: recommendations for preventing UEFI rootkit attack now found in wild

2018-10-04, 17:08 PM

Thank you, Aryeh!  Someone else outside of this Lenovo forum mentioned the UEFI MAT setting is likely to be the one that's not meeting Microsoft's secure device baseline.  Does anyone have info on how to enable UEFI MAT?

Reply
Options

3852 Posts

12-02-2007

US

9040 Signins

189443 Page Views

  • Posts: 3852
  • Registered: ‎12-02-2007
  • Location: US
  • Views: 189443
  • Message 10 of 16

Re: recommendations for preventing UEFI rootkit attack now found in wild

2018-10-11, 7:57 AM

Hello,

 

The UEFI Memory Attributes Table (MAT) is defined as a feature of UEFI v2.6.  You can download the various versions of the specification from the UEFI Forum's web site at http://www.uefi.org/specifications.  As for whether or not the feature it is implemented by Lenovo in your model, you will likely need to contact Lenovo directly and open a support ticket to ask, as that's not the kind of information that's likely to be available in this peer-to-peer support forum.

 

While it's a good idea to make your computer as secure as possible, it is also a good idea to be realistic about the level of threat exposure to it.  The Lojax EFI rootkit was something used on a handful of computers belonging to various governments by an adversary very determined to maintain persistent access to those computers and their networks.  That is not a threat model that most people or even most businesses have exposure to--or even most government computers, for that matter.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English


Need an answer, fast? Try using Browser Search to find it in the Lenovo and Moto Community
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete