Last week, Microsoft unveiled a new web portal through which users and researchers can report malicious drivers to the company’s security team.
The new Vulnerable and Malicious Driver Reporting Center is essentially an web form that allows users to upload a copy of a malicious driver, which is then uploaded and analyzed to a Microsoft automated scanner.
On a tech level, Microsoft claims that this automated scanner can detect techniques that are typically used by malicious drivers.
Positive scans are reported and forwarded to a member of Microsoft’s security team for a more thorough investigation.
The centre and its scanner, according to the Microsoft, can analyze drivers for both 32-bit and 64-bit architectures, and users are encouraged to report any driver they suspect contains malware or contains vulnerable code.
The malicious drivers are blacklisted and vulnerable drivers are reported to their respective vendors.
Microsoft revealed that it has launched the portal because drivers have become more common in the tooling of both nation-states and cybercriminal gangs, particularly ransomware gangs, in recent years.
To gain admin privileges on a compromised host, in most cases the threat actors typically exploit vulnerabilities in old and unpatched drivers, or even purposefully downgrade and install older drivers.