SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

Ransomware detection using hardware

Computer processors get the final word when running programs. Can they judge bad code from good?

Ransomware Detection Using Hardware

Is ransomware detection using hardware possible? We look at Intel’s approach to improving ransomware detection.

All malware has to run on a target to achieve its goal. Whether it’s a remote access Trojan, a wild internet worm or devastating ransomware, malware is most likely software that has to run on a PC of some sort. The anti-virus software industry tries to detect and stop these threats, but news headlines suggest it’s not winning the war.

Download the report for enterprise and small business now! (free – no registration)

Part of the problem is that attackers can disguise malware. In the same way you might try to slip past a security guard in thick glasses and a wig, hackers can take their regular code and make it look different. There are many ways to do this, but before it can achieve its ultimate goal, malware has to run, or execute. And at that stage it drops its disguise, at least as far as the hardware it runs on is concerned. As the code runs, its intentions become clear.

Security on a Chip

And this presents an opportunity for defenders – detect malware at the very last moment, just as it reveals itself while executing. The concept of ‘security on a chip’ has been around for a long time and when Intel bought McAfee in 2010 the world waited for anti-virus processors. They didn’t really appear and seven years later McAfee and Intel separated.

But now Intel claims that it has introduced anti-malware to its vPro hardware platform.

By monitoring code as it executes, it hopes to detect malware and inform compatible security software when it does. It claims to do this by using pattern matching, via machine learning, to spot suspicious behaviour. The goal is to have a combination of security software and hardware working together to prevent infections.

Ransomware Detection Using Hardware

Ransomware is a prevalent, damaging and expensive threat that can cripple the largest organisations and completely destroy smaller ones. But it’s just code that you don’t want to run on your computer. It’s not even that unpredictable. In most cases it will encrypt data, delete files and steal information.

This presents another opportunity for detection. Regardless of how a file ‘looks’, if it starts doing the usual bad things you’d expect from ransomware, it’s probably safe to identify it as a threat. Intel’s claim is that its Threat Detection Technology is capable of spotting malicious trends with the help of machine learning.

Origin Story

When detection happens at the hardware level, it doesn’t matter if the malware appears in a Zip file, is downloaded from Dropbox or is a script that hides inside an Office document. The malware doesn’t even need to land on the hard disk. File-less and other threats all need to run on the processor.

In this report we test Intel’s claims that the Threat Detection Technology built into its vPro platform can detect known ransomware and disguised variations.

Sign up to our monthly business and personal security newsletters.

Featured podcast:

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA