Windows 8 ramps up early malware detection
In Windows 8, Microsoft has greatly improved the operating system's ability to detect malware before it has a chance to run, experts say. Windows 8 should also make it more difficult for people to unknowingly install malware in the first place.
The latest version of the OS, officially launched Thursday in a splashy event in New York, includes two key features to detect malware that tries to run while Windows is booting up. Hackers typically like to get their software running before the OS is fully loaded in order to remain hidden from antivirus applications.
Rootkits are a class of stealthy malware that opens a backdoor, so cybercriminals can control a PC. To avoid detection, the malware will replace the code used to start a computer with itself and disable antivirus software.
To battle rootkits, Microsoft has required computer manufacturers to drop the use of the 30-year-old BIOS firmware and replace it with the Unified Extensible Firmware Interface (UEFI). The BIOS sets up communications between the OS and computer hardware before handing over control to the OS.
[Bill Brenner in Salted Hash: Windows 8 - Security pros and cons]
UEFI makes loading rootkits more difficult by requiring that the initial boot up code be digitally signed with a certificate derived from a key in the UEFI firmware. The feature, called Secure Boot, helps ensure that the code is from a trusted source.
"This is a big step in the right direction of ensuring that no malware can install itself," said Wolfgang Kandek, chief technology officer of Qualys.
New threats, new defenses
The push against rootkits comes as more sophisticated versions of the malware are being used in targeted attacks to steal documents and intellectual property from government agencies and large corporations, such as defense contractors.
This month, a House committee recommended against using products from Chinese company Huawei, saying such malware could be used in its networking gear. Experts believe China is a hotbed of cyber-espionage activity.
"Nearly all security products lack the ability to peer below the operating system to detect malware," said Paul Henry, a computer forensics expert and vice president of VNet Security. "Perhaps these new capabilities from Microsoft in Windows 8 will bring about that needed capability."
Another early-detection feature is Early Launch Anti Malware. ELAM improves security by allowing anti-virus vendors to run software while the OS is still loading, something that only Microsoft software could do before. Early loading gives antivirus vendors a chance to get their software in place before malware is activated.
While many security experts believe Windows 8 is the most secure version of the OS to date, it doesn't mean malware won't evolve to focus on other weaknesses. Security areas not addressed in Windows 8 include a better system for detecting malware before the user installs it. Such a scenario would happen if a person were tricked into opening an email attachment.
With the latest version of Mac OS X, Mountain Lion, Apple introduced a feature called Gatekeeper. The feature gives the user several options in downloading software from the web, including limiting all installations to apps downloaded from the Mac App Store.
Kandek believes Microsoft may eventually head in the same direction. "With the introduction of the Windows 8 app store, they're trying to steer people more toward approved applications," Kandek said. "But it's not as strong as it is on the [Apple] iPhone platform where you get everything from the App Store."
Extra locks for business
Besides having trusted consumer app stores available, Kandek said he believes Microsoft should make it possible for companies to manage employee-only stores.
While blocking software from an unknown source would be good from a security standpoint, such a feature may be difficult on Windows because of the huge amount of software built for the OS, said Aryeh Goretsky, a security researcher at ESET.
"The Windows Store is going to allow them to create a very large ecosystem," Goretsky said. "But I don't know if it's ever going to be on the desktop Windows side at the point where you can only go through the Windows Store."
Antivirus vendors are particularly interested in the impact the new version of Windows Defender in Windows 8 will have on their business. Windows Defender includes antivirus protection.
In a recent white paper, ESET said Defender was better than free versions of antivirus products, but lacked advanced features found in paid software, such as task scheduling, centralized management and reporting.
However, a big change in Windows 8 when it comes to antivirus software is Microsoft's requirement that vendors provide a clean uninstall, which means no more leaving files, drivers, registry entries and other remnants that use to cause conflicts with other software and headaches for users. Microsoft's edict should also make installing and uninstalling antivirus software much easier.
Windows 8 also includes a new version of Internet Explorer. Version 10 of the browser includes running Adobe Flash in a sandbox, which is the architecture used in Google Chrome. In addition, Microsoft will push updates to Flash automatically, so people will no longer have to deal with a second vendor for updates.
"That's a very positive thing," said Kandek. The browser plugin is a favorite target of hackers.
Read more about application security in CSOonline's Application Security section.