Traditional Antivirus runs inside the OS. If a virus installs itself in the UEFI (Unified Extensible Firmware Interface) BIOS, it loads BEFORE the OS, BEFORE the Antivirus, and can hide forever. This is a "Bootkit".
Evil Maid Attack
You leave your laptop in your hotel room.
An attacker enters, plugs in a USB, and flashes a malicious UEFI update.
They leave.
You come back, type your password. The malicious UEFI captures it and sends it out.
You reformat your hard drive. The virus is still there (in the motherboard chip).
1. Secure Boot
The defense.
The CPU checks the digital signature of the UEFI.
The UEFI checks the signature of the Bootloader (GRUB/Windows Boot Manager).
The Bootloader checks the Kernel.
If any signature is invalid (hackers modified the code), the PC refuses to boot.
2. TPM (Trusted Platform Module)
A tamper-resistant chip on the motherboard.
It stores cryptographic keys.
Windows BitLocker uses it. It says: "Only decrypt the hard drive IF the boot signatures match the known good state."
3. LoJax & BlackLotus
Real-world bootkits used by Russian hackers.
They exploit vulnerabilities in the UEFI implementation (like Buffer Overflows in the logo parser!) to gain execution and disable Secure Boot.
Mitigation
1. Set a BIOS Password. Prevents changes to boot order.
2. Enable Secure Boot. Keep it on.
3. Update Firmware. Manufacturers release BIOS updates to patch exploits.