Microsoft announced that Microsoft Defender for Endpoint, its commercial version of Windows 10 Defender antivirus, implements a new mechanism that leverages Intel’s Threat Detection Technology (TDT) to block cryptojacking malware using
Cryptojacking malware allows threat actors to secretly mine for cryptocurrency abusing computational resources of the infected devices.
The Intel TDT technology allows sharing heuristics and telemetry with security software that could use this data to detect the activity associated with a malicious code. Intel TDT leverages machine learning to analyze low-level hardware telemetry produced by the CPU performance monitoring unit (PMU) and uses it to detect the malware code execution “fingerprint” at runtime. TDT is currently implemented in Intel Core processors and any Intel CPU series that supports Intel vPro technologies, 6th Generation or later.
“Today, we are announcing the integration of Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, an addition that enhances the detection capability and protection against cryptojacking malware.” reads the announcement published by Microsoft. “TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at their final execution point (the CPU). This happens irrespective of obfuscation techniques, including when malware hides within virtualized guests, without needing intrusive techniques like code injection or performing complex hypervisor introspection. TDT can further offload machine learning inference to the integrated graphics processing unit (GPU), enabling continuous monitoring with negligible overhead.”
Microsoft Defender uses Intel TDT technology against crypto-mining malware