HP Sure Start - Technical white paper
8
Technical white paper | HP Sure Start
Runtime Intrusion Detection architecture
The RTID feature utilizes specialized hardware in the platform chipset to detect anomalies in the Runtime HP SMM BIOS.
Detection of any anomalies results in a notication to the HP Endpoint Security Controller, which can take the congured
policy action independent of the CPU.
User notications, event logging, and policy management
HP Sure Start end user notications
Under normal operating conditions, HP Sure Start is invisible to the user. When HP Sure Start identies a problem,
recovery operations are automatic, using the default settings with no end user or IT interaction usually required.
Users may see runtime notications in the event of a BIOS integrity problem detected via the HP Sure Start Dynamic
Protection or the Runtime Intrusion Detection features while the OS is running. If any signicant event is detected or
action is taken, HP Sure Start displays a warning message via Windows® notications on the next boot. HP Notications
Software is required to enable the viewing of these Windows notications.
HP Sure Start event logging
The HP Endpoint Security Controller records critical events related to the rmware/BIOS code and data monitored by
HP Sure Start. These events are stored within the Sure Start nonvolatile memory store. When HP Notications software is
installed, the events are copied from the HP ESC to the Windows Event Viewer to facilitate access to these events by the
local user as well as the customer’s preferred manageability agent.
The following events trigger the HP Notications Software to gather all events from the HP Sure Start subsystem and
ensure that the Windows Event Viewer is updated with any events that are not already recorded there:
• Windows Boot
• Windows Resume from Sleep/Hibernate
• HP Sure Start with dynamic protection runtime event notications
• HP Sure Start Runtime Intrusion Detection (RTID)
HP Notications Software populates HP Sure Start events into a unique “HP Sure Start” application event log.
Only HP Sure Start events will be included in this log. The Windows Event Viewer path to the HP Sure Start events is the
following: System Tools/Event Viewer/Applications and Services Logs/HP Sure Start.
The Windows Event Viewer level categories related to HP Sure Start events are dened in the table on the next page.
The events are populated into Windows Event Viewer in the order that they were generated by HP Sure Start. The oldest
event in the HP Sure Start subsystem is added to the Windows Event Viewer rst and the most recent event is added last.
The timestamp for each Windows Event Viewer entry is the time it was added to that log, NOT the time the event
occurred. Each Sure Start Windows Event Viewer entry includes detailed data within the event details, which includes the
timestamp of the actual occurrence.