Antivirus software will soon be moved out of the kernel mode in
Windows. This change is part of Microsoft's Windows Resiliency Initiative (WRI).
Last year, millions of Windows PCs crashed with a blue screen due to a faulty update for
Crowdstrike. In the aftermath of the incident, Microsoft held a security summit with the intention to prevent such issues in the future. Several security vendors, including Bitdefender, CrowdStrike, ESET, SentinelOne, Trellix, Trend Micro, and WithSecure, joined the
Microsoft Virus Initiative (MVI) 3.0 program to collaborate with Microsoft and improve the security and reliability of Windows.
Microsoft says that it will release a private preview of the Windows endpoint security platform to its MVI partners. The changes will require antivirus software, and endpoint detection and response (EDR) apps, to run in user mode like most apps do. Microsoft highlights that running apps with administrator permissions opens the door to malware, which could infect a user's computer, and wreak havoc on critical system resources, causing disruptions, data loss, etc. This was what had caused the Crowdstrike BSODs last year.
Security vendors will be able to test their software, and request changes if required, to ensure that their antivirus products run fine in user mode.
The Verge quotes David Weston, vice president of enterprise and OS security at Microsoft, who said that "We’re not here to tell them how the API should work, we’re here to listen and provide the security and reliability".
Instead of laying down the rules,
Microsoft is collaborating with antivirus vendors to share feedback and co-engineer the system. It could take a while to get things sorted with the previews, but this is a nice approach.
Weston also hinted that these changes could also affect kernel-level anti-cheat mechanisms used in games, Easy Anti-Cheat for example. It could be a thing of the past, which is welcome news.
www.ghacks.net
