Jason Garms, the Group Program Manager at Microsoft responsible for Windows 8’s security features, has written an overview of Windows 8’s added malware protection. If you are on the techie-side then it’s a great read, but otherwise your eyes will probably glaze over. So I’ll do a little bit of a summary for those who are curious, but if this is a topic of deep interest then I highly recommend reading Jason’s blog entry.
First let’s get the part that might make your eyes glaze over out-of-the-way. Malware-authors often are trying to exploit a vulnerability (i.e., flaw) to install their malware on your system. There are things (known as mitigations) you can do in software that make it very difficult to exploit any vulnerabilities they may find. Microsoft started introducing these techniques in Windows XP SP2 and has been expanding them in each release since. This is a key reason why, for example, Windows 7 is so much less subject to Malware than Windows XP. And Windows 8 contains yet another set of major mitigation improvements.
The second big change is the expansion of the built-in Windows Defender into a more complete anti-Malware solution. Jason revealed that when Windows 7 shipped the telemetry Microsoft was seeing indicated that close to 100% of systems had up-to-date anti-malware, but that a year later at least 27% did not. This is likely because many people do not pay for subscriptions to the anti-malware software pre-installed by computer manufacturers once the trial subscription runs out. Windows Defender addresses this problem.
A really exciting development is the inclusion of Application Reputation into Windows 8 itself. This feature first appeared in Internet Explorer 9’s SmartScreen and has now been extended to any file that is downloaded from the Internet (via other browsers, for example) and then run. If the file is has a known good reputation then Windows lets it run. If it does not have an established reputation then Windows warns you that it is risky to run. You will now see fewer warnings than in the past (Microsoft estimates that typical users will see only 2 warnings a year), and should take those warnings very seriously.
The last set of changes Jason talks about are changes to how Windows boots that protect against newer types of malware called Bootkits and Rootkits. One of the areas that malware authors have begun targeting is to install their malware so that it runs before any anti-malware software is started. So somewhere between when you press power-on and you logon to Windows. If malware can take control during this period then it can hide from or disable anti-malware software. Microsoft has secured this path, particularly when you are using a new PC that includes the latest firmware implementing “Secure Boot”. I can’t tell you how many conversations I’ve been in with security experts where the summary has been “we can’t really tell if a computer is healthy because the boot path is vulnerable”. With Windows 8 (and modern computers) that will no longer be true.
There’s the summary of Windows 8’s malware-protection improvements. For more details please see Jason’s blog posting.