Microsoft confirms: Windows fails to detect dangerous drivers – block lists not updated

Windows[German]Windows 10/11 and its server pendants should block known, malicious drivers when they are loaded, so that they cannot cause any damage, as Microsoft has claimed for years. Now, Microsoft has secretly admitted that they made a mistake there. Because the updates that are responsible for defining a  driver blocking list in Windows were probably never reliably published or updated. However, administrators can update the block lists manually.


I was alerted to the issue by blog reader Robert via email over the weekend, but I also came across the issue via the series of subsequent tweets by Dan Goodin.

Windows doesn't detect malicious drivers

The short version from the tweets is: For years, Microsoft employees have claimed that Windows can automatically block a list of malicious drivers that is regularly updated via Windows Update. Now they have tacitly admitted that these updates were never released. German blog reader Robert also wrote within his mail:

today I came across the following article. So for three years the protection against driver attacks does not work because the list of blocked drivers is not updated.

This update can be made up according to the article, a future Windows update should fix this at some point….

And core isolation should be enabled in Windows – no idea what that means for performance.

Windwos coreisolation

The article How a Microsoft blunder opened millions of PCs to potent malware attack, Rober G. refers to was published by Dan Goodin at Arstechnica.


What is it about?

To access devices (peripherals, hard disks, keyboard, mouse, etc.), Windows needs appropriate drivers provided by manufacturers. Many drivers run in the address space of the Windows kernel or exchange data with the kernel and must run with appropriate permissions.

Malware therefore uses a technique known as BYOVD ("bring your own vulnerable driver") to gain administrative control over Windows or an operating system via existing vulnerabilities in legitimate Windows drivers. I had reported over the weekend in the blog post BlackByte ransomware disables security solutions via Windows drivers about a case that uses exactly this attack technique. 

Even when driver developers patch a vulnerability, the old driver versions often remain in use on millions of devices because the drivers are not updated. Microsoft therefore claimed for years that it maintained a list of known malicious drivers that was pushed to machines via Windows Update. Based on the driver list, Windows could block the loading of such malicious drivers.

This actually eliminates the danger – an argument to switch to "newer Windows versions", since only there the technology is used. There are even hints from Microsoft on how to fix certain problems with the so-called core isolation, which is responsible for this driver blocking, in Windows. I had reported about such a case in 2020 in the blog post Fix: Windows 10 driver blocked by core isolation

Windows protection does not work

In the past few years, malware has been able to carry out a number of successful attacks using the BYOVD technique. Dan Goodin lists relevant examples in his article. Microsoft is aware of the problem, of course, and Redmond has also taken defensive measures to block these attack vectors. On March 17, 2022, Microsoft published this article to show how TPM 2.0, HVCI and other security techniques in the Microsoft-defined "Secured PC" should make such attacks come to naught.

The most common mechanism for blocking drivers is a combination of memory integrity and HVCI, Goodin writes. The acronym HVCI stands for Hypervisor-Protected Code Integrity. This feature is implemented in Windows 10 and Windows 11 and is designed to prevent malicious drivers from being loaded and causing damage to Windows. Microsoft also gives advice in the support article on what administrators can do if the protection function blocks incompatible drivers and Windows no longer works as expected.

For years, Microsoft's credo has been that they had the problem with malicious drivers under control through the above protection mechanisms. However, security researchers like Will Dormann observed that various drivers known to be malicious from BYOVD attacks were loaded under Windows without any problems, despite the protection mechanisms being activated.

Windows loads malicious driver although HVCI is enabled

n the above tweet, Will Dormann points out that a vulnerable driver called WinRing0 loaded without a problem on his lab machines, even with HVCI enabled. Dormann complains that Microsoft's documentation is confusing. Only those who use an Insider Preview build of Windows 11 from the "Dev Channel" get to see the "Microsoft Vulnerable Driver Blocklist." On the other hand, Microsoft has articles on Windows 10 and Windows Server 2016 that mention the use of the "Microsoft Vulnerable Driver Blocklist." 

But Dormann's observations brought the issue to the attention of various people, and eventually a Microsoft project manager had to admit that something had gone wrong with the driver blocklist update process. The whole thing comes from the following tweet, in which Jeffry Sutherland from Microsoft responds to a tweet from Brian in Pittsburg. 

Windows driver block list not updated

The manager confirms that there are problems with the distribution of blocklists via update and that they have updated the documentation. Microsoft will "fix the issues with its maintenance process that have prevented devices from receiving policy updates," he said.

Updating the driver blocklist manually

Coinciding with the above tweet, Microsoft released a tool (see Steps to download and apply the vulnerable driver blocklist binary section) along with instructions that Windows 10/11 users can use to manually deploy the blocklist updates that have not been rolled out for years. 

Goodin also points to a PowerShell solution by Will Dormann for administrators to manually update the blocklist updates via WDAC. To do so, enter the following command in an administrative PowerShell console:

ApplyWDACPolicy -auto -enforce

However, these are only solutions that update this driver blocklist once. Administrators need to repeat the whole thing cyclically to keep the list up to date. Currently it is unknown when these blocklist updates will be distributed automatically. Dan Goodin writes in his ArsTechnica article that after manually updating the blocklists, a driver with known vulnerabilities that are exploited by malware are blocked on Windows.

Of course, the case sheds light on the fact that there is a lot wrong with Microsoft's corporate culture. Without the testing of Will Dormann and other security researchers, nothing would have changed in this case. Microsoft would have continued to maintain its Potemkin village of a secure HVCI environment, but users' systems would have remained unprotected. 

Similar articles
Windows 10 V1803: HCVI causes driver error code 39
Fix: Windows 10 driver blocked by core isolation
BlackByte ransomware disables security solutions via Windows drivers

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *