Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

Intel Anti-Theft/ME backdoor question

Lucian_P_
Beginner
‎08-28-2013 11:49 PM
710 Views

We restrict some of our workstations from access the internet.
At network level router drops any packet with destination outside of LAN and generates warnings in log.
At OS level (windows workstations) we use low level driver blocking the same. It helps to keep router's logs empty of warnings, because Windows never sends anything to external IP. Also it's a trap for deep backdoors.

We are going to buy new workstations with Intel 7/8-series chipsets. Intel Ant-Theft settings will be default (not activated).
The question. Will we find in router's log any (even 1) connection attempt to internet (or DNS resolve requests) after year of use?

0 Kudos

Link Copied

5 Replies
Gael_H_Intel
Moderator
‎08-29-2013 09:47 AM
710 Views

There shouldn't be any attemps to access the internet from the system simply being AT capable.  If your OEM has installed the Manageability Firmware Recovery Agent on your systems you might get a user consent box popping up that asks you if you would like to install a new version of the firmware. You can read more about it here: http://software.intel.com/en-us/blogs/2013/02/06/intel-manageability-firmware-recovery-agent

However, it is impossible for me to even guess why or if your system is trying to access the internet.

0 Kudos
Copy link
Lucian_P_
Beginner
‎08-29-2013 12:45 PM
710 Views

Thank you for reply.
Our current system doesn't try. Routing scheme is same for all workstations, so network router can bust attempts of any workstation (or its hardware) to bypass restriction by OS driver.

Intel Manageability Firmware Recovery Agent is preinstalled Windows software. We order, install and check all software and drivers only by ourself.
So we will never face with any Intel's ME hardware/hypervisor/etc connection attempt outside of operating system?

0 Kudos
Copy link
Gael_H_Intel
Moderator
‎08-29-2013 03:13 PM
710 Views

The ME wouldn't be trying to connect to the internet.  While it does have a built in web server, it isn't going to be connecting unless there is an agent that is doing something with it or if someone is trying to access the web ui (but then AMT has to be enabled for that to work.)

0 Kudos
Copy link
Lucian_P_
Beginner
‎08-29-2013 06:31 PM
710 Views
Non-Q chipset + any CPU gives AMT unprovisioned by default? Some chipsets don't support VT-d officially, but motherboard vendors still allow VT-d (if CPU is not "K"). Isn't the same with AMT, or everything depends on BIOS firmware? Open ports wouldn't hurt our LAN, anyway better to know.
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎08-30-2013 08:55 AM
710 Views

Here is blog that has system requirements for vPro systems that are capable of AMT: http://software.intel.com/en-us/blogs/2013/08/07/intel-vpro-technology-release-90-platform-requirements

Systems do not come with AMT enable - the user or IT department has to enable the technology in order for it to be used.  Also, vPRO is only on Core i5 and i7 processors (along with particular chipsets).  If the system doesn't have those parts, it will not be AMT capable at all (cannot provision or enable something that is not there...)

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.