The UEFI firmware loads into the memory at the beginning of the boot process. It is stored in a flash memory chip soldered onto the mainboard. If attackers infect the firmware, they can deploy malware that survives system reinstallations, reboots, and even new hard drive installations. The malware can also remain unnoticed by antimalware solutions since most of them do not scan the firmware layer.
The ESET Unified Extensible Firmware Interface (UEFI) Scanner adds an industry-first protection layer against UEFI bootkits by scanning for malware in the firmware layer.
The following ESET products contain the UEFI scanner:
Upgrade the firmware from your computer vendor and rescan with ESET UEFI scanner. If the UEFI detection remains, you can ask your computer vendor to update their firmware to remove the problematic detection.
Business users version 8 and later:
Business users version 7:
Type in your Detection name (for example, EFI/CompuTrace.A).
Disable the Detection of potentially unsafe applications option in your ESET product
Reflash the SPI Flash Memory where the UEFI lives. This is a delicate and complex procedure and is different for every motherboard. Your computer manufacturer will be able to tell you if this is possible
For detailed information about UEFI malware including prevention and remediation, see the following WeLiveSecurity.com post: Lojax: First UEFI rootkit found in the wild, courtesy of the Sednit group
If you think that the detection is incorrect, submit the detection to the ESET malware lab for analysis
UEFI scanning is available in the latest versions of ESET products. See the Details section above for a list of ESET products that contain the UEFI scanner.
By default, the detection of potentially unsafe or unwanted applications is disabled in ESET products. Because UEFI infections are very specific to the hardware firmware that they infect, ESET can only detect and notify you of a UEFI infection. UEFI is only scanned during startup scan or during On-demand scan when the option Boot sectors/UEFI is selected.