cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
mohairrug
Fanfold Paper
Posts: 7
Registered: ‎09-27-2018
Location: US
Views: 1,701
Message 1 of 11

Lenovo Yoga 920 does not meet Microsoft's standard hardware security requirements

The first UEFI rootkit has been spotted in the wild, called LoJax (**bleep**ized/trojanized version of Absolute Software's LoJack) and it's apparently very nasty if it compromises your computer - the malware can survive Windows reinstallation, and replacement of the motherboard is the only way to make sure it's gone.  Read more from security vendor ESET here: 

 

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

 

So, this alarming news lead me to look at my protection against LoJax.  In Windows/Defender Device Security Center, I see that my Yoga does not meet standard hardware security requirements set by Microsoft.  I'm curious if other Lenovo devices (thinkpads, etc) show the same result under the Defender Device Security Center.  There are four requirements (well, actually six) to meet standard according to MS:

Your device meets the requirements for standard hardware security

This means your device supports memory integrity and core isolation and also has:

  • TPM 2.0 (also referred to as your security processor)
  • Secure boot enabled
  • DEP
  • UEFI MAT

 

Without me configuring anything manually, my device had Secure Boot enabled and it has a TPM 2.0 chip also enabled by default.  My question and reason for the post -  which of the other two security hardware requirements (DEP or UEFI MAT) does this computer not meet?  There's no indication in Windows Defender Device Security Center. 

 

Posting to a MS forum about these questions, a tech referred to more documentation for OEM's regarding security requirements and said 'it's the responsibility of the OEM manufacturer to make sure they're meeting these minimum requirements'.  

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-security-considerati...

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

 

Lenovo - the question remains.  How do I make my Yoga 920 'highly secure', per Microsoft's recommendations?

As of today, I have no way to know for certain if my device is vulnerable to LoJax and even if the hacker groups responsible for LoJax FancyBear/Strontium etc. aren't targeting me specifically I would think this is a major concern for anyone running Lenovo devices for personal or business use.

mohairrug
Fanfold Paper
Posts: 7
Registered: ‎09-27-2018
Location: US
Views: 1,701
Message 2 of 11

Post removed regarding Yoga 920 not meeting Microsoft's recommended hardware security requirements?

Interesting....just spent quite a bit of time composing a post about my Lenovo 920 apparently not meeting Microsoft's hardware requirements, and the post has disappeared.  Did a moderator from Lenovo remove it?

 

LoJax is a dangerouse and difficult to remove malware spotted in the wild now, and I'd like to know how my Yoga 920 can at least meet Microsoft's recommended hardware requirements. 

 

Microsoft Documentation: requirements for highly secure OEM devices

 

Windows Defender Device Security Center - Lenovo Yoga 920 does not meet standard security

 

 

ESET whitepaper: LoJax Malware Spotted in the Wild

 

 

 

 

mohairrug
Fanfold Paper
Posts: 7
Registered: ‎09-27-2018
Location: US
Views: 1,693
Message 3 of 11

recommendations for preventing UEFI rootkit attack now found in wild

What are Lenovo's specific recommendations around prevention of UEFI rootkit malware attacks? 

 

LoJax: first UEFI rootkit found in the wild

 

 

Community SeniorMod
Community SeniorMod
Posts: 6,893
Registered: ‎01-13-2008
Location: US
Views: 1,697
Message 4 of 11

Re: Post removed regarding Yoga 920 not meeting Microsoft's recommended hardware security requiremen


@mohairrug wrote:

Interesting....just spent quite a bit of time composing a post about my Lenovo 920 apparently not meeting Microsoft's hardware requirements, and the post has disappeared.  Did a moderator from Lenovo remove it?

,,,

Nope.  The automated spam filters can be overly aggressive at times.  Dug the original post out of the bin and restored it above.  (I thinks that's the one to which you refer...)

 

Z.


The large print: please read the Community Participation Rules before posting. Include as much information as possible: model, machine type, operating system, and a descriptive subject line. Do not include personal information: serial number, telephone number, email address, etc.


The fine print: I do not work for, nor do I speak for Lenovo. Unsolicited private messages will be ignored - questions and answers belong in the forum so that others may contribute and benefit. ... GeezBlog

 

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Moto English

mohairrug
Fanfold Paper
Posts: 7
Registered: ‎09-27-2018
Location: US
Views: 1,679
Message 5 of 11

Re: Lenovo Yoga 920 does not meet Microsoft's standard hardware security requirements

Update - if Secure Boot is enabled in Windows Defender Device Security Center (by default it appears that it is), then you are protected against unsigned code execution prior to UEFI startup.   Therefore, protected against LoJax.  At least that's how I interpret ESET's recommendation for preventing this UEFI rootkit.

Highlighted
JDGillis
Bit Torrent
Posts: 2,598
Registered: ‎12-11-2015
Location: US
Views: 1,681
Message 6 of 11

Re: recommendations for preventing UEFI rootkit attack now found in wild

Per the ESET write-up, the enabling of Secure Boot prevents the execution of the unsigned driver used by this and any other UEFI rootkit threats. so the best advice is to always ensure that Secure Boot is enabled in the BIOS settings of your system.

 

Cheers,

 

Community SeniorMod
Community SeniorMod
Posts: 3,285
Registered: ‎12-01-2007
Location: US
Views: 1,586
Message 7 of 11

Re: recommendations for preventing UEFI rootkit attack now found in wild

Hello,

 

Here's how to enable DEP (Data Execution Prevention) under Windows 10, step-by-step:

 

1.  Run the System Properties (filename: SYSDM.CPL) Control Panel Applet.  The System Properties window will appear.

2.  Click or tap on the Advanced tab to view the Advanced properties.

3.  In the Performance section, click or tap on the Settings button.  The Performance Options window will appear.

4.  Click or tap on the Data Execution Prevention tab to view the current DEP settings.

5.  Select the Turn on DEP for all programs and services except those I select: option.  This will enable DEP on the computer for all programs, except the one(s) you have added via the Add button.

6.  Click on the Apply button to commit the changes, and then the OK button to close the dialog.

 

If at any time you need to reconfigure DEP, you can get at it through these same instructions.

 

Regards,

 

Aryeh Goretsky

 

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
mohairrug
Fanfold Paper
Posts: 7
Registered: ‎09-27-2018
Location: US
Views: 1,465
Message 8 of 11

Re: recommendations for preventing UEFI rootkit attack now found in wild

Thank you, Aryeh!  Someone else outside of this Lenovo forum mentioned the UEFI MAT setting is likely to be the one that's not meeting Microsoft's secure device baseline.  Does anyone have info on how to enable UEFI MAT?

Community SeniorMod
Community SeniorMod
Posts: 3,285
Registered: ‎12-01-2007
Location: US
Views: 1,348
Message 9 of 11

Re: recommendations for preventing UEFI rootkit attack now found in wild

Hello,

 

The UEFI Memory Attributes Table (MAT) is defined as a feature of UEFI v2.6.  You can download the various versions of the specification from the UEFI Forum's web site at http://www.uefi.org/specifications.  As for whether or not the feature it is implemented by Lenovo in your model, you will likely need to contact Lenovo directly and open a support ticket to ask, as that's not the kind of information that's likely to be available in this peer-to-peer support forum.

 

While it's a good idea to make your computer as secure as possible, it is also a good idea to be realistic about the level of threat exposure to it.  The Lojax EFI rootkit was something used on a handful of computers belonging to various governments by an adversary very determined to maintain persistent access to those computers and their networks.  That is not a threat model that most people or even most businesses have exposure to--or even most government computers, for that matter.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
mohairrug
Fanfold Paper
Posts: 7
Registered: ‎09-27-2018
Location: US
Views: 1,316
Message 10 of 11

Re: recommendations for preventing UEFI rootkit attack now found in wild

Thanks, Aryeh.  I realize devices are safe from LoJax if they have secure boot enabled in Windows Defender Security Center, but I still think it's odd that at least my device - Yoga 920 - doesn't meet the Microsoft security standard for hardware, according to Windows Defender Security:

 

Windows Defender Device Security Center - Lenovo Yoga 920 does not meet standard security

Check out current deals!


Shop current deals