Microsoft Defender can block cryptojacking malware: Cryptocurrency mining and wallet stealing viruses rendered useless?

Cryptojacking Microsoft Defender
Microsoft and Intel to block cryptojacking malware. Pic credit: Tayeb MEZAHDIA/Pixabay

Microsoft Defender can now observe and alert about cryptojacking malware. The security platform currently works on Intel CPUs. It relies on Threat Detection Technology (TDT) to prevent cryptocurrency mining and wallet-stealing viruses from draining valuable computer resources.

Microsoft and Intel have jointly announced new capabilities in Microsoft Defender to detect unauthorized cryptocurrency mining or cryptomining. Intel TDT is part of the Hardware Shield‘s suite of capabilities available on Intel vPro and Intel Core platforms.

Microsoft Defender for Endpoint can detect malware execution using CPU-based heuristics:

Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus, has support for blocking cryptojacking malware. Cryptojacking malware allows malicious code writers to secretly mine for cryptocurrency on infected devices.

Cryptojacking significantly lowers the infected machines’ performance by siphoning off valuable system resources to mine cryptocurrency. There are ample cases of aggressive malware. They can bring down the performance of any device, be it personal computers, enterprise servers, and mobile devices as well.

In some cases, additional malware installed by cryptojacking viruses can also steal cryptocurrency wallets. Some reports also indicate a few strains of the malware act as a worm. They attempt to spread to other endpoints on the network.

Microsoft Defender for Endpoint will now utilize Intel’s TDT and CPU-based machine learning algorithms to detect and block cryptojacking. Microsoft will reportedly rely on CPU telemetry and machine learning heuristics to identify anomalous activity.

Essentially, Microsoft Defender for Endpoint will observe CPU behavior, and if it detects potentially malicious behavior, it will alert Endpoint Detection and Response (EDR) mechanisms. These can, in turn, trigger remediation workflows to protect the infected PC and other devices on the network.

Intel vPro and Core CPUs have the technology that Microsoft Defender for Endpoint needs to observe and block cryptojacking:

Microsoft Defender for Endpoint relies on Threat Detection Technology (TDT) which Intel CPUs have. The new capability is available within Intel Core processors and the Intel vPro platform. Specifically speaking, Intel CPUs of the 6th Generation or later have the technology.

Intel TDT continuously monitors and analyzes telemetry data from Virtual Machines and applications for signals of malicious activity. Intel assures that TDT doesn’t impact the system’s overall performance as it allocates resource-intensive workloads to the integrated Graphics Processing Unit (GPU):

“This advanced threat detection doesn’t create a performance hit requiring IT leaders to make a tradeoff between better security or a good user experience.”

“Intel TDT can offload performance-intensive security workloads to the integrated graphics controller and return performance back to the CPU, allowing for increased scanning and reduced impacts to the computing experience.”

Apart from observing and alerting about cryptojacking, Microsoft also wants to use Intel TDT in the future to detect and stop other malware strains and attack techniques such as ransomware and side-channel attacks, said Karthik Selvaraj Principal Research Manager, Microsoft 365 Defender Research Team:

“Even though we have enabled this technology specifically for cryptocurrency mining, it expands the horizons for detecting more aggressive threats like side-channel attacks and ransomware.”

“Intel TDT already has the capabilities for such scenarios, and machine learning can be trained to recognize these attack vectors.”

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x