User-mode antivirus
More importantly, the biggest architectural change for Windows is getting antivirus and other security software out of the Windows kernel. This is why CrowdStrike’s disastrous update was so difficult to fix: Because the security software runs at such a low level in Windows, Windows couldn’t say “Oops, this didn’t work, let’s fix it” — instead, the whole system crashed.
When Microsoft was designing Windows Vista nearly 20 years ago, the company wanted to get security software out of the Windows kernel. But, with Microsoft starting to offer its own antivirus at the time, security companies argued it was being anti-competitive and would hurt their business. Stung by the US government going after it allegedly monopolizing the web browser market on Windows, Microsoft backed off and let security companies continue to integrate at a low level with Windows, despite tightening down other parts of the operating system.
With CrowdStrike’s explosion, though, Microsoft decided to take another crack at this. The result is the “Windows endpoint security platform,” which will arrive in private preview form for Microsoft’s antivirus partners this month. They’ll be able to create antivirus and endpoint security software that runs outside the Windows kernel, ensuring they won’t cause the operating system to fail if they encounter a problem.
Read the full article here