I'm using a Veriton X4610G running Windows 10 and I want to defend it against BIOS viruses like the
LoJax rootkit, which installs itself in the UEFI BIOS and even survives OS re-installs.
The CERT Coordination Center advises in
VU#766164:American Megatrends Incorporated (AMI) Status: Affected; End users should contact their board manufacturer for information on when a specific updated BIOS will be available.
(The X4610G runs an Acer 2012 customized AMI BIOS.)
Unfortunately Acer hasn't fixed the X4610G's BIOS. So there is no security patch to protect against the BIOS Virus.
Now I want to implement a work-around and found two ways of locking the BIOS firmware code against flashing.
- A. With a jumper on the motherboard (see first picture A below)
- B. With a menu option in the BIOS settings, called "BIOS Write Protect" (see second picture B below)
Picture A:
Picture B:
I have a few questions about these two methods.
- Is locking the BIOS a smart thing, or would I block or disrupt other functions beside blocking flashing new BIOS firmware (and defend against BIOS viruses)?
- Would a BIOS settings change still be possible in scenario A?
- Would a BIOS settings change still be possible in scenario B?
- What is exactly protected by method A (BIOS, CMOS, UEFI)?
- What is exactly protected by method B (BIOS, CMOS, UEFI)?
- Will method A defend against BIOS viruses, can a virus circumvent locking method A?
- Will method B defend against BIOS viruses, can a virus circumvent locking method B?
- In scenario B, if BIOS firmware somehow gets corrupted and the BIOS fails to start. Could I revert/undo method B somehow? Because re-flashing the firmware would then be blocked by the BIOS setting I couldn't reach anymore.
- Are there any other positive or negative effects you can think of?
Thanks in advance.
Thread was edited to add model name to the title
