Security News > 2022 > April > How Microsoft blocks vulnerable and malicious drivers in Defender, third-party security tools and in Windows 11
While there are some malicious drivers that are deliberately crafted to compromise PCs, the most problems come from a small number of legitimate drivers with accidental flaws in, said David Weston, VP of Enterprise and OS Security at Microsoft.
"Think about some of the driver cases recently where a certificate leaked from a giant vendor. If we revoke that, everyone's devices may stop working. We need more of a precision mechanism to do blocking while we work towards the longer approach of revocation. The Vulnerable Driver Block List allows the user to do that with a very precise list that Microsoft has validated. We look at things like how many devices would stop working? Have we worked with a vendor to have a fix? We think the list is a good balance for folks who want security, but also want the confidence that Microsoft has done the telemetry and analysis."
HVCI and the Microsoft Vulnerable Driver Blocklist are among the hardware security options that are now on by default on many Windows 11 PCs - and this is one of the reasons for the stricter system requirements for Windows 11.
Windows Defender Application Control, which lets you create policies for what applications and drivers can run on a PC, is no longer restricted to just the Enterprise version of Windows.
The Device Health Attestation API in Windows is a way for not just Microsoft security tools but third-party options like AirWatch and Mobile Iron to protect the security agent running on the system from the kind of tampering malicious drivers permit attackers to do.
Like HVCI, the driver blocklists and the other security features that are on by default in Windows 11, smart app control will only be on by default if you buy a new PC with Windows 11 or do a clean install.
News URL
Related news
- New 'Defendnot' tool tricks Windows into disabling Microsoft Defender (source)
- Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed (source)
- Microsoft: Windows Server 2025 restarts break connectivity on some DCs (source)
- Microsoft: New Windows updates fix Active Directory policy issues (source)
- Microsoft tells Windows users to ignore 0x80070643 WinRE errors (source)
- Don't delete that mystery empty folder. Windows put it there as a security fix (source)
- Microsoft: Some devices offered Windows 11 upgrades despite Intune blocks (source)
- Widespread Microsoft Entra lockouts tied to new security feature rollout (source)
- Microsoft fixes Windows Server 2025 blue screen, install issues (source)
- Microsoft fixes Remote Desktop freezes caused by Windows updates (source)