133 Windows drivers with valid Microsoft signatures found crawling with
malware
<https://www.pcworld.com/article/1991875/caution-malware-in-133-windows-drivers-this-is-how-microsoft-reacts.html>

Malware is found in over 100 drivers for Windows, despite valid
signatures. Microsoft reacts and suspends the licences of many
developers.

People who keep their computers up to date and regularly install the
updates offered for Windows hope to have a secure PC. But it has now
become known that 133 drivers officially signed by Microsoft contain
malware. It’s a particularly dangerous problem because these drivers are
loaded and installed by the operating system without prompting.

Malware with a certificate of authenticity?

Microsoft has apparently been familiar with the problem for a while and
reacted as part of the most recent monthly Windows update. The 133
affected drivers were blocked and the accounts of the respective
developers were locked. But how could it ever come to this, that
officially released drivers contain malware?

Stolen certificates

According to Microsoft, all drivers had a valid signature. This allowed
them to secure administrator rights. This would have made it possible to
monitor compromised systems at any time. The drivers would have come
from different Microsoft partners, and the discovered accounts have now
been suspended. The developer certificates used to sign the
malware-infused drivers were apparently stolen by the software
manufacturers and sold over the internet.

Offline scan recommended

Since Windows has been able to detect malicious drivers on its own since
March 2023, Microsoft recommends regularly updating Windows Defender and
also applying Windows updates. To detect potentially malicious drivers
that may have been installed before March 2, 2023, an offline scan of
the system is also recommended. The bad drivers are now automatically
collected in a revocation list integrated in Windows, including numerous
drivers with certificates from China.

On 7/13/2023 10:38 PM, Char Jackson wrote:
>
> 133 Windows drivers with valid Microsoft signatures found crawling with
> malware
> <https://www.pcworld.com/article/1991875/caution-malware-in-133-windows-drivers-this-is-how-microsoft-reacts.html>
>
> Malware is found in over 100 drivers for Windows, despite valid
> signatures. Microsoft reacts and suspends the licences of many
> developers.
>
> People who keep their computers up to date and regularly install the
> updates offered for Windows hope to have a secure PC. But it has now
> become known that 133 drivers officially signed by Microsoft contain
> malware. It’s a particularly dangerous problem because these drivers are
> loaded and installed by the operating system without prompting.
>
> Malware with a certificate of authenticity?
>
> Microsoft has apparently been familiar with the problem for a while and
> reacted as part of the most recent monthly Windows update. The 133
> affected drivers were blocked and the accounts of the respective
> developers were locked. But how could it ever come to this, that
> officially released drivers contain malware?
>
> Stolen certificates
>
> According to Microsoft, all drivers had a valid signature. This allowed
> them to secure administrator rights. This would have made it possible to
> monitor compromised systems at any time. The drivers would have come
> from different Microsoft partners, and the discovered accounts have now
> been suspended. The developer certificates used to sign the
> malware-infused drivers were apparently stolen by the software
> manufacturers and sold over the internet.
>
> Offline scan recommended
>
> Since Windows has been able to detect malicious drivers on its own since
> March 2023, Microsoft recommends regularly updating Windows Defender and
> also applying Windows updates. To detect potentially malicious drivers
> that may have been installed before March 2, 2023, an offline scan of
> the system is also recommended. The bad drivers are now automatically
> collected in a revocation list integrated in Windows, including numerous
> drivers with certificates from China.
>

Well you cant trust certificates these days, damn. Better off compiling
from source these drivers but then Microsoft has a near monopoly of
desktop computers because windows has great driver support.

On 7/14/2023 10:38 AM, Char Jackson wrote:
>
> 133 Windows drivers with valid Microsoft signatures found crawling with
> malware
> <https://www.pcworld.com/article/1991875/caution-malware-in-133-windows-drivers-this-is-how-microsoft-reacts.html>

I guess all drivers should be open-sourced, and licensed by governments?

Without source codes, not even governments can manage them!!! ;)

On 7/20/2023 5:26 AM, Mr. Man-wai Chang wrote:
> On 7/14/2023 10:38 AM, Char Jackson wrote:
>>
>> 133 Windows drivers with valid Microsoft signatures found crawling with
>> malware
>> <https://www.pcworld.com/article/1991875/caution-malware-in-133-windows-drivers-this-is-how-microsoft-reacts.html>
>
> I guess all drivers should be open-sourced, and licensed by governments?
>
> Without source codes, not even governments can manage them!!! ;)

Any mechanism that is better-designed than the current one,
would be a start.

Paul

On July 14, Char Jackson <none@none.invalid> referenced/quoted PCWorld:
>
> 133 Windows drivers with valid Microsoft signatures found crawling with
> malware
> <https://www.pcworld.com/article/1991875/caution-malware-in-133-windows-drivers-this-is-how-microsoft-reacts.html>
>
> Malware is found in over 100 drivers for Windows, despite valid
> signatures. Microsoft reacts and suspends the licences of many
> developers.
>
> People who keep their computers up to date and regularly install the
> updates offered for Windows hope to have a secure PC. But it has now
> become known that 133 drivers officially signed by Microsoft contain
> malware. It?s a particularly dangerous problem because these drivers are
> loaded and installed by the operating system without prompting.
>
> Malware with a certificate of authenticity?
>
> Microsoft has apparently been familiar with the problem for a while and
> reacted as part of the most recent monthly Windows update. The 133
> affected drivers were blocked and the accounts of the respective
> developers were locked. But how could it ever come to this, that
> officially released drivers contain malware?
>
> Stolen certificates
>
> According to Microsoft, all drivers had a valid signature. This allowed
> them to secure administrator rights. This would have made it possible to
> monitor compromised systems at any time. The drivers would have come
> from different Microsoft partners, and the discovered accounts have now
> been suspended. The developer certificates used to sign the
> malware-infused drivers were apparently stolen by the software
> manufacturers and sold over the internet.
>
> Offline scan recommended
>
> Since Windows has been able to detect malicious drivers on its own since
> March 2023, Microsoft recommends regularly updating Windows Defender and
> also applying Windows updates. To detect potentially malicious drivers
> that may have been installed before March 2, 2023, an offline scan of
> the system is also recommended. The bad drivers are now automatically
> collected in a revocation list integrated in Windows, including numerous
> drivers with certificates from China.

Since nearly a month has passed:

Did anybody do an (Microsoft Defender Antivirus) offline scan? If so,
what were the results?

Should we do an offline scan, or are things under control after the
mentioned Windows Update update and ongoing Microsoft Defender (not
'Windows Defender') updates?

N.B. I did an offline scan, because on my (Windows 11) system, the
'Security providers' page of Windows Security for some reason showed 'No
providers' for both 'Antivirus' and 'Firewall', instead of 'Microsoft
Defender Antivirus' and 'Windows Firewall'.

I tried to fix this with the tips from some Google searches, but the
simple/sane things (services, etc.) did not help and I did not want to
do the drastic things (sfc, dism, System Restore, system Reset, etc.).

I noted that a Quick/Full/Customised scan did not even start, so I
tried an offline scan. That worked (without errors). 'Security
providers' still said 'No providers', but now a Quick scan worked
(without errors). After the Quick scan, 'Security providers' correctly
reported 'Microsoft Defender Antivirus is turned on.' and 'Windows
Firewall is turned on.'. So all was back to normal.

On 8/10/2023 10:02 AM, Frank Slootweg wrote:
> On July 14, Char Jackson <none@none.invalid> referenced/quoted PCWorld:
>>
>> 133 Windows drivers with valid Microsoft signatures found crawling with
>> malware
>> <https://www.pcworld.com/article/1991875/caution-malware-in-133-windows-drivers-this-is-how-microsoft-reacts.html>
>>
>> Malware is found in over 100 drivers for Windows, despite valid
>> signatures. Microsoft reacts and suspends the licences of many
>> developers.
>>
>> People who keep their computers up to date and regularly install the
>> updates offered for Windows hope to have a secure PC. But it has now
>> become known that 133 drivers officially signed by Microsoft contain
>> malware. It?s a particularly dangerous problem because these drivers are
>> loaded and installed by the operating system without prompting.
>>
>> Malware with a certificate of authenticity?
>>
>> Microsoft has apparently been familiar with the problem for a while and
>> reacted as part of the most recent monthly Windows update. The 133
>> affected drivers were blocked and the accounts of the respective
>> developers were locked. But how could it ever come to this, that
>> officially released drivers contain malware?
>>
>> Stolen certificates
>>
>> According to Microsoft, all drivers had a valid signature. This allowed
>> them to secure administrator rights. This would have made it possible to
>> monitor compromised systems at any time. The drivers would have come
>> from different Microsoft partners, and the discovered accounts have now
>> been suspended. The developer certificates used to sign the
>> malware-infused drivers were apparently stolen by the software
>> manufacturers and sold over the internet.
>>
>> Offline scan recommended
>>
>> Since Windows has been able to detect malicious drivers on its own since
>> March 2023, Microsoft recommends regularly updating Windows Defender and
>> also applying Windows updates. To detect potentially malicious drivers
>> that may have been installed before March 2, 2023, an offline scan of
>> the system is also recommended. The bad drivers are now automatically
>> collected in a revocation list integrated in Windows, including numerous
>> drivers with certificates from China.
>
> Since nearly a month has passed:
>
> Did anybody do an (Microsoft Defender Antivirus) offline scan? If so,
> what were the results?
>
> Should we do an offline scan, or are things under control after the
> mentioned Windows Update update and ongoing Microsoft Defender (not
> 'Windows Defender') updates?
>
> N.B. I did an offline scan, because on my (Windows 11) system, the
> 'Security providers' page of Windows Security for some reason showed 'No
> providers' for both 'Antivirus' and 'Firewall', instead of 'Microsoft
> Defender Antivirus' and 'Windows Firewall'.
>
> I tried to fix this with the tips from some Google searches, but the
> simple/sane things (services, etc.) did not help and I did not want to
> do the drastic things (sfc, dism, System Restore, system Reset, etc.).
>
> I noted that a Quick/Full/Customised scan did not even start, so I
> tried an offline scan. That worked (without errors). 'Security
> providers' still said 'No providers', but now a Quick scan worked
> (without errors). After the Quick scan, 'Security providers' correctly
> reported 'Microsoft Defender Antivirus is turned on.' and 'Windows
> Firewall is turned on.'. So all was back to normal.
>

Yes, that's "normal" for Microsoft Defender.

It's late for work some mornings, and it blames
the lousy public transit for being tardy. Sometimes,
it's found asleep at its desk. And it takes more than
a half-hour for lunch.

I have seen all sorts of behaviors, including the Real Time Protection
slider being in the OFF position, and when you move it to the ON position,
it snaps back to OFF. Humorous stuff. It specializes in stunts like that.

Who knows what goes on, during an Offline Scan. Does it repair stuff ?
Let me check the Technical Note page for the product. Oh.

Paul