Intel Anti-Theft/ME backdoor question

Intel Anti-Theft/ME backdoor question

Lucian P.'s picture

We restrict some of our workstations from access the internet.
At network level router drops any packet with destination outside of LAN and generates warnings in log.
At OS level (windows workstations) we use low level driver blocking the same. It helps to keep router's logs empty of warnings, because Windows never sends anything to external IP. Also it's a trap for deep backdoors.

We are going to buy new workstations with Intel 7/8-series chipsets. Intel Ant-Theft settings will be default (not activated).
The question. Will we find in router's log any (even 1) connection attempt to internet (or DNS resolve requests) after year of use?

6 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.
Gael Hofemeier (Intel)'s picture

There shouldn't be any attemps to access the internet from the system simply being AT capable.  If your OEM has installed the Manageability Firmware Recovery Agent on your systems you might get a user consent box popping up that asks you if you would like to install a new version of the firmware. You can read more about it here: http://software.intel.com/en-us/blogs/2013/02/06/intel-manageability-firmware-recovery-agent

However, it is impossible for me to even guess why or if your system is trying to access the internet.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Lucian P.'s picture

Thank you for reply.
Our current system doesn't try. Routing scheme is same for all workstations, so network router can bust attempts of any workstation (or its hardware) to bypass restriction by OS driver.

Intel Manageability Firmware Recovery Agent is preinstalled Windows software. We order, install and check all software and drivers only by ourself.
So we will never face with any Intel's ME hardware/hypervisor/etc connection attempt outside of operating system?

Gael Hofemeier (Intel)'s picture

The ME wouldn't be trying to connect to the internet.  While it does have a built in web server, it isn't going to be connecting unless there is an agent that is doing something with it or if someone is trying to access the web ui (but then AMT has to be enabled for that to work.)

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Lucian P.'s picture

Non-Q chipset + any CPU gives AMT unprovisioned by default?

Some chipsets don't support VT-d officially, but motherboard vendors still allow VT-d (if CPU is not "K").
Isn't the same with AMT, or everything depends on BIOS firmware? Open ports wouldn't hurt our LAN, anyway better to know.

Gael Hofemeier (Intel)'s picture

Here is blog that has system requirements for vPro systems that are capable of AMT: http://software.intel.com/en-us/blogs/2013/08/07/intel-vpro-technology-release-90-platform-requirements

Systems do not come with AMT enable - the user or IT department has to enable the technology in order for it to be used.  Also, vPRO is only on Core i5 and i7 processors (along with particular chipsets).  If the system doesn't have those parts, it will not be AMT capable at all (cannot provision or enable something that is not there...)

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs

Login to leave a comment.