Microsoft is moving antivirus programs from running at kernel level

[harlan4096]

Antivirus software will soon be moved out of the kernel mode in Windows. This change is part of Microsoft's Windows Resiliency Initiative (WRI).

Last year, millions of Windows PCs crashed with a blue screen due to a faulty update for Crowdstrike. In the aftermath of the incident, Microsoft held a security summit with the intention to prevent such issues in the future. Several security vendors, including Bitdefender, CrowdStrike, ESET, SentinelOne, Trellix, Trend Micro, and WithSecure, joined the Microsoft Virus Initiative (MVI) 3.0 program to collaborate with Microsoft and improve the security and reliability of Windows.

Microsoft says that it will release a private preview of the Windows endpoint security platform to its MVI partners. The changes will require antivirus software, and endpoint detection and response (EDR) apps, to run in user mode like most apps do. Microsoft highlights that running apps with administrator permissions opens the door to malware, which could infect a user's computer, and wreak havoc on critical system resources, causing disruptions, data loss, etc. This was what had caused the Crowdstrike BSODs last year.

Security vendors will be able to test their software, and request changes if required, to ensure that their antivirus products run fine in user mode. The Verge quotes David Weston, vice president of enterprise and OS security at Microsoft, who said that "We’re not here to tell them how the API should work, we’re here to listen and provide the security and reliability".

Continue Reading...