Writing in his blog Talos researcher Chris Neal said that starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority.
"Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection."
Beginning with Windows 10 version 1607, Neal said, Vole required kernel-mode drivers to be signed by its Developer Portal.
"This process is intended to ensure that drivers meet Microsoft's requirements and security standards," he wrote.
There are exceptions — most notably, one for drivers signed with certificates that expired or were issued before July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole," Neal wrote.
And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos "has observed multiple threat actors taking advantage of the Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification."
"Microsoft, in response to our notification, has blocked all certificates discussed in this blog post," he noted.