Boot‑Time Security

Windows Defender, like its predecessor, is great at what it does. But there’s one problem with an integrated antivirus and anti‑malware solution like Defender, and that is that Windows 8 must be running for it to work. There are certain situations in which you may wish to secure your PC’s hard disk–just as when it’s booting–or need to run a security scan against the hard disk when Windows isn’t running. And while one might argue that these capabilities aren’t technically Windows 8 features per se, you need to know about them.

First, as PCs have become more sophisticated, the architecture on which Windows runs has evolved. And one of the biggest changes that Windows 8 has been designed to accommodate is the long overdue switch from the primitive BIOS (basic input/output system) environments that have graced (disgraced?) PCs since the 1980s. BIOS is a type of firmware, a tiny bit of software that runs before Windows when the PC first powers on. And while it’s possible to run Windows 8 on a BIOS‑based computer–basically every single PC made before 2012–a new generation of more sophisticated PCs and devices are instead using BIOS’s replacement. It’s called UEFI, or the Unified Extensible Firmware Interface.

UEFI provides many advantages over BIOS, but from a security perspective the big deal is that PCs based on this firmware type can support a new technology called Secure Boot. Based on industry standards, Secure Boot ensures that a system hasn’t been tampered with while offline. (That is, while Windows isn’t running.)

It sounds Orwellian but the purpose of Secure Boot is valid: It targets a growing class of electronic attacks that insert code before Windows boots and try to prevent the OS from loading security software like Windows Defender at boot time, leaving the system vulnerable to further attack. Secure Boot ensures that only properly authorized components are allowed to execute at boot time. It is literally a more secure form of booting.

All Windows 8 PCs and devices will be configured from the factory to support Secure Boot and have this firmware feature enabled. But if you are going to install Windows 8 on a previous PC, you can check to see whether this feature is supported and then enable it before installing the OS.

As a feature of the PC firmware, Secure Boot isn’t configured in Windows; it’s configured in the UEFI firmware interface. This interface will vary from PC to PC, but it’s generally available via a Boot or Security screen in the firmware and is toggled via an option that will be labeled UEFI Boot. This can be set to Enabled or Disabled.

The other security issue that arises at boot time occasionally is the need to scan an offline system. That is, you may want to run a Windows Defender security scan against a Windows 8 hard disk, but when Windows isn’t running. This can be a vital capability if your system is infested with a bootkit or rootkit , malicious forms of software that are both hard to detect and almost impossible to remove … when Windows is running. But if you can attack bootkits and rootkits while Windows is offline, then voila! Problem solved.

Fortunately, Microsoft makes a standalone version of Windows Defender called the Windows Defender Offline. As you might expect, it is based on Windows Defender, and looks almost identical to that tool. But you install it to a bootable optical disc or USB memory stick and then boot the PC from that. Windows Defender Offline is shown in Figure 12‑16.

Strictly speaking, there’s no reason to run Windows Defender Offline unless you know you have a problem. But don’t wait to create a bootable Windows Defender Offline disc or USB key until you have a problem: This is a tool you should have at the ready, just in case. You can download Windows Defender Offline from the Microsoft website at tinyurl.com/defenderoffline.