BIOS flash lock against LoJax rootkit Veriton X4610G

Marty11
Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
edited March 1 in 2020 Archives
I'm using a Veriton X4610G running Windows 10 and I want to defend it against BIOS viruses like the LoJax rootkit, which installs itself in the UEFI BIOS and even survives OS re-installs.

The CERT Coordination Center advises in VU#766164:
American Megatrends Incorporated (AMI) Status:  Affected; End users should contact their board manufacturer for information on when a specific updated BIOS will be available.
(The X4610G runs an Acer 2012 customized AMI BIOS.)

Unfortunately Acer hasn't fixed the X4610G's BIOS. So there is no security patch to protect against the BIOS Virus.

Now I want to implement a work-around and found two ways of locking the BIOS firmware code against flashing.
  • A. With a jumper on the motherboard (see first picture A below)
  • B. With a menu option in the BIOS settings, called "BIOS Write Protect" (see second picture B below)
Picture A:


Picture B:
I have a few questions about these two methods.
  1. Is locking the BIOS a smart thing, or would I block or disrupt other functions beside blocking flashing new BIOS firmware (and defend against BIOS viruses)?
  2. Would a BIOS settings change still be possible in scenario A?
  3. Would a BIOS settings change still be possible in scenario B?
  4. What is exactly protected by method A (BIOS, CMOS, UEFI)?
  5. What is exactly protected by method B (BIOS, CMOS, UEFI)?
  6. Will method A defend against BIOS viruses, can a virus circumvent locking method A?
  7. Will method B defend against BIOS viruses, can a virus circumvent locking method B?
  8. In scenario B, if BIOS firmware somehow gets corrupted and the BIOS fails to start. Could I revert/undo method B somehow? Because re-flashing the firmware would then be blocked by the BIOS setting I couldn't reach anymore.
  9. Are there any other positive or negative effects you can think of?
Thanks in advance.

Thread was edited to add model name to the title


Answers

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon
    I found a third way to implement a firmware update lock. It is via the Intel Management Engine BIOS Extension.

    • C. There is an option to set Local FW Update to: Disabled/Enabled/Password Protected (see picture C below).
    Picture C:

    The same questions as above hold for option C too.
    10. Would it be better to turn off Intel Management Engine in its entirety?