Issue
- Resolve ESET UEFI detections (for example, EFI/CompuTrace, Win32/CompuTrace, EFI/Lenovo, Win32/Lenovo)
- How to protect your computer from UEFI malware
- ESET detects UEFI malware or applications
Details
Click to expand
The UEFI firmware loads into the memory at the beginning of the boot process. It is stored in a flash memory chip soldered onto the mainboard. If attackers infect the firmware, they can deploy malware that survives system reinstallations, reboots, and even new hard drive installations. The malware can also remain unnoticed by antimalware solutions because most do not scan the firmware layer.
The ESET Unified Extensible Firmware Interface (UEFI) Scanner adds an industry-first protection layer against UEFI boot kits by scanning for malware in the firmware layer.
The following ESET products contain the UEFI scanner:
- ESET Mail Security for Microsoft Exchange Server (version 8 and later)
- ESET File Security for Microsoft Windows Server (version 8 and later)
- ESET Security for Microsoft SharePoint Server (version 8 and later)
- ESET Mail Security for IBM Domino (version 8 and later)
- ESET Smart Security Premium (version 17 and later)
- ESET Internet Security (version 17 and later)
- ESET NOD32 Antivirus (version 17 and later)
- ESET Endpoint Security/Antivirus (version 8.1 and later)
Solution
Resolve ESET UEFI detections
-
Upgrade the firmware from your computer vendor and rescan it with the ESET UEFI scanner. If the UEFI detection remains, you can ask your computer vendor to update their firmware to remove the problematic detection.
-
Exclude the detection in your ESET product. If you have enabled the detection of potentially unsafe applications and your computer vendor does not remove the app from its firmware, you can exclude the detection from future scans.
Home users: Exclude an application by name from scanning in ESET Windows home products.
Business users:
-
Disable the Detection of potentially unsafe applications option in your ESET product
Home users: Configure ESET products to detect or ignore unwanted, unsafe and suspicious applications.
Business users: Enable or disable endpoint detection of potentially unwanted/unsafe applications using ESET PROTECT On-Prem
- Reflash the SPI Flash Memory where the UEFI lives. This is a delicate and complex procedure and is different for every motherboard. Your computer manufacturer will be able to tell you if this is possible
- For detailed information about UEFI malware, including prevention and remediation, see the following WeLiveSecurity.com post: Lojax: First UEFI rootkit found in the wild, courtesy of the Sednit group
- If you think that the detection is incorrect, submit the detection to the ESET malware lab for analysis
How to protect your computer from UEFI malware
- Use a computer with a newer chipset
Verify all of your systems have modern chipsets with Platform Controller Hub (starting from Intel Series 5 chipsets onwards). - Ensure that your computer has Secure Boot enabled
Typically, UEFI malware is not properly signed, and having Secure Boot enabled will keep it from loading and infecting your computer. - Upgrade your UEFI firmware on your computer
We recommend performing a UEFI firmware update even if your computer does not notify you of a detection. As a preventive measure, it may help minimize the chances of this type of infection.
ESET detects UEFI malware or applications
UEFI scanning is available in the latest versions of ESET products. See the Details section above for a list of ESET products that contain the UEFI scanner.
By default, detecting potentially unsafe or unwanted applications is disabled in ESET products. Because UEFI infections are very specific to the hardware firmware they infect, ESET can only detect and notify you of a UEFI infection. UEFI is only scanned during startup or On-demand scans when the option Boot sectors/UEFI is selected.
Need further assistance? Contact ESET Technical Support.
