Windows 8 security focuses on early malware detection

In Windows 8, Microsoft has greatly improved the operating system's ability to detect malware before it has a chance to run, experts say. Windows 8 should also make it more difficult for people to unknowingly install malware in the first place.

The latest version of the OS, officially launched Thursday in a splashy event in New York, includes two key features to detect malware that tries to run while Windows is booting up. Hackers typically like to get their software running before the OS is fully loaded in order to remain hidden from antivirus applications.

Rootkits are a class of stealthy malware that opens a backdoor, so cybercriminals can control a PC. To avoid detection, the malware will replace the code used to start a computer with itself and disable antivirus software.

To battle rootkits, Microsoft has required computer manufacturers to drop the use of the 30-year-old BIOS firmware and replace it with the Unified Extensible Firmware Interface (UEFI). The BIOS sets up communications between the OS and computer hardware before handing over control to the OS.

[Bill Brenner in Salted Hash: Windows 8 - Security pros and cons]

UEFI makes loading rootkits more difficult by requiring that the initial boot up code be digitally signed with a certificate derived from a key in the UEFI firmware. The feature, called Secure Boot, helps ensure that the code is from a trusted source.

"This is a big step in the right direction of ensuring that no malware can install itself," said Wolfgang Kandek, chief technology officer of Qualys.

The push against rootkits comes as more sophisticated versions of the malware are being used in targeted attacks to steal documents and intellectual property from government agencies and large corporations, such as defense contractors.

This month, a House committee recommended against using products from Chinese company Huawei, saying such malware could be used in its networking gear. Experts believe China is a hotbed of cyber-espionage activity.

"Nearly all security products lack the ability to peer below the operating system to detect malware," said Paul Henry, a computer forensics expert and vice president of VNet Security. "Perhaps these new capabilities from Microsoft in Windows 8 will bring about that needed capability."

Another early-detection feature is Early Launch Anti Malware. ELAM improves security by allowing anti-virus vendors to run software while the OS is still loading, something that only Microsoft software could do before. Early loading gives antivirus vendors a chance to get their software in place before malware is activated.

While many security experts believe Windows 8 is the most secure version of the OS to date, it doesn't mean malware won't evolve to focus on other weaknesses. Security areas not addressed in Windows 8 include a better system for detecting malware before the user installs it. Such a scenario would happen if a person were tricked into opening an email attachment.

With the latest version of Mac OS X, Mountain Lion, Apple introduced a feature called Gatekeeper. The feature gives the user several options in downloading software from the web, including limiting all installations to apps downloaded from the Mac App Store.

Kandek believes Microsoft may eventually head in the same direction. "With the introduction of the Windows 8 app store, they're trying to steer people more toward approved applications," Kandek said. "But it's not as strong as it is on the [Apple] iPhone platform where you get everything from the App Store."

Besides having trusted consumer app stores available, Kandek said he believes Microsoft should make it possible for companies to manage employee-only stores.

While blocking software from an unknown source would be good from a security standpoint, such a feature may be difficult on Windows because of the huge amount of software built for the OS, said Aryeh Goretsky, a security researcher at ESET.

"The Windows Store is going to allow them to create a very large ecosystem," Goretsky said. "But I don't know if it's ever going to be on the desktop Windows side at the point where you can only go through the Windows Store."

Antivirus vendors are particularly interested in the impact the new version of Windows Defender in Windows 8 will have on their business. Windows Defender includes antivirus protection.

In a recent white paper, ESET said Defender was better than free versions of antivirus products, but lacked advanced features found in paid software, such as task scheduling, centralized management and reporting.

However, a big change in Windows 8 when it comes to antivirus software is Microsoft's requirement that vendors provide a clean uninstall, which means no more leaving files, drivers, registry entries and other remnants that use to cause conflicts with other software and headaches for users. Microsoft's edict should also make installing and uninstalling antivirus software much easier.

Windows 8 also includes a new version of Internet Explorer. Version 10 of the browser includes running Adobe Flash in a sandbox, which is the architecture used in Google Chrome. In addition, Microsoft will push updates to Flash automatically, so people will no longer have to deal with a second vendor for updates.

"That's a very positive thing," said Kandek. The browser plugin is a favorite target of hackers.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags rootkitWindowsoperating systemssandboxingELAMWindows 8 securityWindows 8Data Protection | Application SecurityMicrosoftInternet Explorer 10securityAccess control and authenticationUEFIsoftwareadobe flashIE10data protectionEarly Launch Anti Malwareapplications

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts