Resilient Windows: Antivirus software flies out of the kernel
Microsoft does not want to have a CrowdStrike experience again. This is why antivirus software is now being removed from the Windows kernel.
(Image: CLS Digital Arts/Shutterstock.com)
Last year, CrowdStrike paralyzed millions of Windows systems with an update. The mills of bureaucracy are slowly grinding – but now the planned changes to prevent such incidents in the future are penetrating further and further into the devices in use. Now Microsoft is announcing a further step: Antivirus software will no longer be allowed to long into the Windows kernel.
Microsoft announced this in a blog post on the current status of the "Windows Resiliency Initiative" (WRI) founded at Microsoft's in-house trade fair Ignite 2024. One of the new mechanisms should enable Windows to start even if boot problems occur. In the Windows preview versions for Insiders, Quick Machine Recovery (QMR), which starts the Windows Recovery Environment (Windows RE) in such cases, has already been in testing since April of this year.
Windows to become more resilient
QMR will be "generally available later this summer", Microsoft announced there. It will be available for all Windows 11 devices as of 24H2 and will be active on home devices by default. IT admins, however, will retain full control over it.
However, this also means far-reaching changes for IT security software in Windows. Another initiative Microsoft has launched is the "Microsoft Virus Initiative (MVI)", in which the Redmond-based company is working with partner companies to explore ways of improving the Windows platform to achieve the goal of improved resilience without sacrificing security. The participants have now reached the "MVI 3.0 program", which provides for certain actions for the partner companies.
Videos by heise
These include setting up and testing an incident response process and following Safe Deployment Practices (SDP) for Windows endpoint updates. "Security product updates must be deployed incrementally in distribution rings and use monitoring to minimize negative impacts," explains Microsoft. This fits into the Microsoft platforms – this is also how Microsoft Autopatch for Windows Updates works. This leads to greater stability, faster recovery and reduced risks in use for enterprise customers who rely on a secure and reliable Windows environment.
Get out of the kernel!
Next month, Microsoft plans to distribute a preview of the Windows Endpoint Security platform to some MVI partners. This will enable them to build their IT security solutions to run outside the Windows kernel. Software such as antivirus and endpoint protection will then be in user mode, just like normal apps. "This change will help IT security developers deliver a high level of reliability and easier recovery in the event of unexpected problems on Windows devices," Microsoft is certain. Microsoft quotes some of the partner companies that are satisfied with the future solution. These include Bitdefender, CrowdStrike, ESET, SentinelOne, Trellix, Trend Micro and WithSecure.
Around 20 years ago, Microsoft built APIs into Windows Vista that gave IT security software more secure access to the otherwise strictly protected 64-bit kernel. This is now likely to be history in the near future.
Microsoft is taking a further step in the context of the WRI with the blue screen of death. This has probably become too colorful for the company. In the future, the crash error report will therefore be black.
(dmk)
