Microsoft said today that it is rolling out an update to the commercial version of the Defender antivirus that will now be capable of using a little-known Intel CPU security feature to detect crypto-mining malware at the processor level.
The technology, known asIntel TDT(Threat Detection Technology), works by exposing CPU heuristics and telemetry to security software so the data can be analyzed using machine learning for malicious code that evaded antivirus engines at the operating system level.
Microsoftexplains:
This technology [the TDT] is based on telemetry signals coming directly from the PMU, the unit that records low-level information about performance and microarchitectural execution characteristics of instructions processed by the CPU. Coin miners make heavy use of repeated mathematical operations, and this activity is recorded by the PMU, which triggers a signal when a certain usage threshold is reached. The signal is processed by a layer of machine learning which can recognize the footprint generated by the specific activity of coin mining. Since the signal comes exclusively from the utilization of the CPU, caused by execution characteristics of malware, it is unaffected by common antimalware evasion techniques such as binary obfuscation or memory-only payloads.
This is the third known case where Intel TDT is deployed in a real-world security product.
TDT was used for the first time in 2018 by Microsoft and Cisco toaccelerate memory scansfor their Windows Defender Advanced Threat Protection (now rebranded as Microsoft Defender for Endpoint) and Tetration platforms, respectively.
Earlier this year, Boston-based security firm Cybereason used TDT to create aransomware detection modulefor its antivirus engine. This module worked similarly to Microsoft's new crypto-mining detection feature—by tapping into the TDT data stream to detect ransomware-specific operations at the CPU level.
Because of its unique insight and ability to work at the CPU level rather than the OS level, Intel TDT is expected to see broader adoption in the future.
This is especially relevant as more and more malware creators are adding antivirus evasion code to their malware, and as some cybercrime groups are realizing they could evade antivirus detection by hiding malware inside virtual machines. While a virtual machine may be able to hide malicious code from its parent OS, it can't hide it from the CPU.
Furthermore, the time is also right for a broader TDT adoption. While the technology has been around for years, it took some time before CPUs made it into users' hands.
Intel said today that there arenearly a billion Intel TDT-capable PCsin the market; CPUs where security vendors can now tap into TDT to deploy next-level detection capabilities.
Currently, TDT is included with Intel Core processors and with any Intel CPU series that supportsIntel vPro, a collection of enterprise-centered technologies.
Unfortunately, the new crypto-mining detection capabilities are not supported on the free version of the Defender antivirus, which ships with all Windows 10 operating systems.
It isonly supported on Microsoft Defender for Endpoint, which is the paid version of Defender, comes with extra features, and is only sold to enterprise customers.
Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
FAQs
Microsoft said today that it is rolling out an update to the commercial version of the Defender antivirus that will now be capable of using a little-known Intel CPU security feature to detect crypto-mining malware at the processor level.
Can Microsoft Defender detect miners? ›
Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
Can Windows Defender detect cryptojacking? ›
Microsoft 365 Defender uses its cross-workloads detection capabilities to provide enhanced protection against cryptocurrency mining attacks.
How does a crypto mining virus work? ›
Cryptomining malware runs stealthily in the background, hijacking the victim's central processing unit (CPU) and graphics processing unit (GPU) to “mine” fresh bits of cryptocurrency by solving complex math problems that verify crypto transactions.
Does Windows Defender actually detect malware? ›
Microsoft Defender's real-time anti-malware protection runs whenever your device is on, keeping an eye out for malicious activity. Microsoft Defender will also run quick scans of your device on a daily basis, in case anything manages to elude the real-time protection.
How to check if someone is mining on your PC? ›
Is your PC Infected with a Crypto Miner? Here's How to Find Out
- High CPU or GPU Usage. ...
- Increased fan noise and overheating. ...
- Decrease in performance. ...
- Unexplained Network Activity. ...
- Crashes and more crashes. ...
- Short battery life. ...
- Unknown Processes in Task Manager. ...
- Blocked access to system monitoring tools.
Bitcoin Miner Virus is a general name for malware that steals a computer's resources to generate cryptocurrency. This dangerous crypto mining malware mostly infects through downloads and browser-based attacks. Slow performance, lagging, and overheating are warning signs of mining malware infection.
How do I remove malware from my CPU? ›
Remove malware from your Windows PC
- Open your Windows Security settings.
- Select Virus & threat protection > Scan options.
- Select Microsoft Defender Antivirus (offline scan), and then select Scan now.
Home remediation
- Please download Malwarebytes to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
Two threat detection services of the Premium and Enterprise tiers are critical for detecting cryptomining attacks: Event Threat Detection and VM Threat Detection.
Crypto malware is malicious software that uses your computer to mine cryptocurrency without your knowledge. If your computer has become slow and unresponsive, you may need to scan it for crypto mining malware.
How to detect cryptocurrency miners by traffic forensics? ›
Machine learning can be employed to detect mining services automatically. Dedicated web application collects IP addresses and service availability of various mining pool servers.
What does Microsoft Defender detect? ›
Microsoft Defender Antivirus detects and protects against the following kinds of threats: Viruses, malware, and web-based threats on devices. Phishing attempts. Data theft attempts.
Can Windows Defender detect phishing? ›
In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
Can Windows Defender detect keyloggers? ›
The most popular operating systems, Windows and macOS, offer some level of threat protection. For instance, Windows Security (Defender) can scan your PC and remove viruses and other threats such as keyloggers. This is one of the best free antivirus programs.
Can Windows Defender detect Trojan horse? ›
To make sure that you detect all possible Trojan infections, in addition to at least two virus scanners on a Windows computer, it's also recommended to run a full scan with Windows Defender Offline. This can help to detect and remove particularly stubborn Trojans using the latest threat definitions.
