Windows 8 security focuses on early malware detection

Security experts say Windows 8 is the most secure Microsoft OS to date, but that doesn't mean malware won't evolve to exploit it

By Antone Gonsalves

October 29, 2012CSO — In Windows 8, Microsoft has greatly improved the operating system's ability to detect malware before it has a chance to run, experts say. Windows 8 should also make it more difficult for people to unknowingly install malware in the first place.

The latest version of the OS, officially launched Thursday in a splashy event in New York, includes two key features to detect malware that tries to run while Windows is booting up. Hackers typically like to get their software running before the OS is fully loaded in order to remain hidden from antivirus applications.

Rootkits are a class of stealthy malware that opens a backdoor, so cybercriminals can control a PC. To avoid detection, the malware will replace the code used to start a computer with itself and disable antivirus software.

To battle rootkits, Microsoft has required computer manufacturers to drop the use of the 30-year-old BIOS firmware and replace it with the Unified Extensible Firmware Interface (UEFI). The BIOS sets up communications between the OS and computer hardware before handing over control to the OS.


[Also see The 10 Commandments of Windows security]


UEFI makes loading rootkits more difficult by requiring that the initial boot up code be digitally signed with a certificate derived from a key in the UEFI firmware. The feature, called Secure Boot, helps ensure that the code is from a trusted source.

"This is a big step in the right direction of ensuring that no malware can install itself," said Wolfgang Kandek, chief technology officer of Qualys.

The push against rootkits comes as more sophisticated versions of the malware are being used in targeted attacks to steal documents and intellectual property from government agencies and large corporations, such as defense contractors.

This month, a House committee recommended against using products from Chinese company Huawei, saying such malware could be used in its networking gear. Experts believe China is a hotbed of cyber-espionage activity.

"Nearly all security products lack the ability to peer below the operating system to detect malware," said Paul Henry, a computer forensics expert and vice president of VNet Security. "Perhaps these new capabilities from Microsoft in Windows 8 will bring about that needed capability."

Another early-detection feature is Early Launch Anti Malware. ELAM improves security by allowing anti-virus vendors to run software while the OS is still loading, something that only Microsoft software could do before. Early loading gives antivirus vendors a chance to get their software in place before malware is activated.

While many security experts believe Windows 8 is the most secure version of the OS to date, it doesn't mean malware won't evolve to focus on other weaknesses. Security areas not addressed in Windows 8 include a better system for detecting malware before the user installs it. Such a scenario would happen if a person were tricked into opening an email attachment.

With the latest version of Mac OS X, Mountain Lion, Apple introduced a feature called Gatekeeper. The feature gives the user several options in downloading software from the web, including limiting all installations to apps downloaded from the Mac App Store.

RESOURCE CENTER