Microsoft has revealed details of the private Windows Endpoint Security Ecosystem Summit, organized in response to a massive Windows outage that occurred in July due to an incorrect update of CrowdStrike antivirus software. There, the company discussed with partners the development of a new platform in Windows specifically designed for anti-virus monitoring, displacing security products from the operating system (OS) kernel.
Image source: Microsoft
The company emphasized, “While this was not a decision-making meeting, we believe in the importance of transparency and community engagement.” It is noteworthy that the summit was closed to journalists, which emphasizes its technical focus.
The key reason for the July incident was privileged access of antivirus software to the Windows kernel, a critical component of the OS. This mechanism, which allows antiviruses to effectively monitor malicious changes in the depths of the system, simultaneously poses a potential threat to its stability. In the case of CrowdStrike, a glitch in the update validation mechanisms allowed an error to slip through, causing Windows to crash on computers around the world.
Microsoft initially considered revoking kernel access entirely for third-party programs, which could transform Windows into a more closed OS similar to Apple’s macOS. However, following the summit, the company abandoned such radical measures. Instead, Microsoft will focus on developing a new platform that provides enhanced security capabilities outside of kernel mode, thereby meeting its customers and partners.
At the summit, Microsoft and its partners discussed in detail the technical aspects of creating a new platform. Key topics included ensuring performance outside of kernel mode, developing tamper-proof mechanisms for security programs, and determining the requirements for security sensors for anti-virus monitoring. Microsoft emphasized the long-term nature of the project to develop a new level of Windows security in close collaboration with ecosystem partners.