Summary
The Microsoft Windows Hardware Compatibility Program (WHCP) certifies that drivers, and other products, run reliably on Windows and on Windows certified hardware. First reported by Sophos, and later Trend Micro and Cisco, Microsoft has investigated and confirmed a list of third-party WHCP-certified drivers used in cyber threat campaigns. Because of the drivers’ intent and functionality, Microsoft has added them to the Windows Driver.STL revocation list.
The Windows Driver.STL file is part of the Windows Code Integrity feature. The file contains digital signatures and lists of drivers that Microsoft has revoked. This stops malware from running in the Windows boot and Windows kernel processes. Driver.STL ships along with Windows but is not a part of Windows. It cannot be turned off, tampered with, or removed from the system. Microsoft updates the contents of the revocation file. The updates are sent to Windows systems and users from Windows Update.
The Windows Code Integrity feature validates the source and authenticity of the drivers that run in Windows. The feature uses digital signatures to verify the integrity of Windows files and drivers. It prevents the loading of unsigned or tampered files. Windows Code Integrity and the Driver.STL revocation list have existed alongside Windows since Windows Vista.
