Written byMark Russinovich, Chief Technology Officer and Technical Fellow, Microsoft Azure
Persistent threats like bootkits and rootkits are sophisticated malware types that run with the same kernel-mode privileges as the operating system they infect. Using those privileges, they can hide themselves from diagnostic tools and antimalware, making them extremely difficult to detect and almost impossible to remove. That foothold is typically leveraged by malware to bypass local logins, record passwords and keystrokes, exfiltrate private files, and steal security keys and credentials.
Today, I'm announcing that Azure customers can prevent bootkit and rootkit infections by enablingAzure Trusted Launchfor their virtual machines. Trusted Launch allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module (vTPM) to measure and attest to whether the boot was compromised. The vTPM measurements give administrators visibility into the integrity of the entire boot process, and vTPM release policies ensure that keys, certificates, and secrets aren't accessible to compromised virtual machines.