In addition to this, there are other features that are capable of offering initial protection. These include:
Windows Defender – It offers comprehensive protection for your system, files, and online activities from malware and other threats. The tool makes use of signatures for detecting and quarantining apps, known to be malicious in nature.SmartScreen Filter – It always issues warning to users before enabling them to run an untrustworthy app. Here, it is important to bear in mind that these features are capable of offering protection only after Windows 10 starts. Most modern malware—and bootkits in particular, can run even before Windows starts, thereby lying hidden and bypassing operating system security, completely.
Fortunately, Windows 10 provides protection even during startup. How? Well, for this, we first need to understand what Rootkits are and how they work. Thereafter, we can delve deeper into the subject and find how Windows 10 protection system works.
Rootkits
Rootkits are a set of tools used for hacking a device by a cracker. The cracker tries installing a rootkit on a computer, first by obtaining user-level access, either by exploiting a known vulnerability or cracking a password and then retrieving the required information. It conceals the fact that an operating system has been compromised by replacing vital executables. Different types of rootkits run during different phases of the startup process. These include, Windows 10 has 4 features that secure the Windows 10 boot process and avoid these threats.
Securing the Windows Boot Process
Secure Boot
Secure Boot is a security standard developed by members of the PC industry to help you protect your system from malicious programs by not allowing any unauthorized applications to run during the system start-up process. The feature makes sure that your PC boots using only software that is trusted by the PC manufacturer. So, whenever your PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are verified, the PC boots and the firmware gives control to the operating system.
Trusted Boot
This bootloader uses the Virtual Trusted Platform Module (VTPM) to verify the digital signature of the Windows 10 kernel before loading it which in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been altered or changed to any extent, the bootloader detects it and refuses to load it by recognizing it as a corrupted component. In short, it provides a chain of trust for all the components during boot.
Early Launch Anti-Malware
Early launch anti-malware (ELAM) provides protection for the computers present in a network when they start up and before third-party drivers initialize. After Secure Boot has successfully managed to protect the bootloader and Trusted Boot has finished/completed the task safeguarding the Windows kernel, the role of ELAM begins. It closes any loophole left for malware to start or initiate infection by infecting a non-Microsoft boot driver. The feature immediately loads a Microsoft or non-Microsoft anti-malware. This helps in establishing a continuous chain of trust established by Secure Boot and Trusted Boot, earlier.
Measured Boot
It has been observed that PCs infected with rootkits continue to appear healthy, even with anti-malware running. These Infected PCs if connected to a network in an enterprise pose a serious risk to other systems by opening routes for the rootkits to access vast amounts of confidential data. Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process by using the following processes. With all this information at hand, the server can now find whether the client is healthy and grant the client access to either a limited quarantine network or to the full network. Read the full details on Microsoft.
