09-27-2018 11:06 AM
The first UEFI rootkit has been spotted in the wild, called LoJax (**bleep**ized/trojanized version of Absolute Software's LoJack) and it's apparently very nasty if it compromises your computer - the malware can survive Windows reinstallation, and replacement of the motherboard is the only way to make sure it's gone. Read more from security vendor ESET here:
So, this alarming news lead me to look at my protection against LoJax. In Windows/Defender Device Security Center, I see that my Yoga does not meet standard hardware security requirements set by Microsoft. I'm curious if other Lenovo devices (thinkpads, etc) show the same result under the Defender Device Security Center. There are four requirements (well, actually six) to meet standard according to MS:
Your device meets the requirements for standard hardware security
This means your device supports memory integrity and core isolation and also has:
Without me configuring anything manually, my device had Secure Boot enabled and it has a TPM 2.0 chip also enabled by default. My question and reason for the post - which of the other two security hardware requirements (DEP or UEFI MAT) does this computer not meet? There's no indication in Windows Defender Device Security Center.
Posting to a MS forum about these questions, a tech referred to more documentation for OEM's regarding security requirements and said 'it's the responsibility of the OEM manufacturer to make sure they're meeting these minimum requirements'.
Lenovo - the question remains. How do I make my Yoga 920 'highly secure', per Microsoft's recommendations?
As of today, I have no way to know for certain if my device is vulnerable to LoJax and even if the hacker groups responsible for LoJax FancyBear/Strontium etc. aren't targeting me specifically I would think this is a major concern for anyone running Lenovo devices for personal or business use.
Solved! Go to Solution.
09-27-2018 11:29 AM
Interesting....just spent quite a bit of time composing a post about my Lenovo 920 apparently not meeting Microsoft's hardware requirements, and the post has disappeared. Did a moderator from Lenovo remove it?
LoJax is a dangerouse and difficult to remove malware spotted in the wild now, and I'd like to know how my Yoga 920 can at least meet Microsoft's recommended hardware requirements.
09-27-2018 12:37 PM
Interesting....just spent quite a bit of time composing a post about my Lenovo 920 apparently not meeting Microsoft's hardware requirements, and the post has disappeared. Did a moderator from Lenovo remove it?,,,
Nope. The automated spam filters can be overly aggressive at times. Dug the original post out of the bin and restored it above. (I thinks that's the one to which you refer...)
The large print: please read the Community Participation Rules before posting. Include as much information as possible: model, machine type, operating system, and a descriptive subject line. Do not include personal information: serial number, telephone number, email address, etc.
The fine print: I do not work for, nor do I speak for Lenovo. Unsolicited private messages will be ignored - questions and answers belong in the forum so that others may contribute and benefit. ... GeezBlog
09-27-2018 01:30 PM
Update - if Secure Boot is enabled in Windows Defender Device Security Center (by default it appears that it is), then you are protected against unsigned code execution prior to UEFI startup. Therefore, protected against LoJax. At least that's how I interpret ESET's recommendation for preventing this UEFI rootkit.
09-27-2018 03:10 PM
Per the ESET write-up, the enabling of Secure Boot prevents the execution of the unsigned driver used by this and any other UEFI rootkit threats. so the best advice is to always ensure that Secure Boot is enabled in the BIOS settings of your system.
09-30-2018 04:20 AM
Here's how to enable DEP (Data Execution Prevention) under Windows 10, step-by-step:
1. Run the System Properties (filename: SYSDM.CPL) Control Panel Applet. The System Properties window will appear.
2. Click or tap on the Advanced tab to view the Advanced properties.
3. In the Performance section, click or tap on the Settings button. The Performance Options window will appear.
4. Click or tap on the Data Execution Prevention tab to view the current DEP settings.
5. Select the Turn on DEP for all programs and services except those I select: option. This will enable DEP on the computer for all programs, except the one(s) you have added via the Add button.
6. Click on the Apply button to commit the changes, and then the OK button to close the dialog.
If at any time you need to reconfigure DEP, you can get at it through these same instructions.
10-04-2018 10:08 AM
Thank you, Aryeh! Someone else outside of this Lenovo forum mentioned the UEFI MAT setting is likely to be the one that's not meeting Microsoft's secure device baseline. Does anyone have info on how to enable UEFI MAT?
10-11-2018 12:57 AM - edited 10-11-2018 01:01 AM
The UEFI Memory Attributes Table (MAT) is defined as a feature of UEFI v2.6. You can download the various versions of the specification from the UEFI Forum's web site at http://www.uefi.org/specifications. As for whether or not the feature it is implemented by Lenovo in your model, you will likely need to contact Lenovo directly and open a support ticket to ask, as that's not the kind of information that's likely to be available in this peer-to-peer support forum.
While it's a good idea to make your computer as secure as possible, it is also a good idea to be realistic about the level of threat exposure to it. The Lojax EFI rootkit was something used on a handful of computers belonging to various governments by an adversary very determined to maintain persistent access to those computers and their networks. That is not a threat model that most people or even most businesses have exposure to--or even most government computers, for that matter.
10-11-2018 10:48 AM
Thanks, Aryeh. I realize devices are safe from LoJax if they have secure boot enabled in Windows Defender Security Center, but I still think it's odd that at least my device - Yoga 920 - doesn't meet the Microsoft security standard for hardware, according to Windows Defender Security: