To avoid another incident like the CrowdStrike update mishap, Microsoft is exploring the creation of a dedicated platform within the Windows operating system, specifically for antivirus monitoring, to move security software out of the kernel.
This platform was a key topic during a summit Microsoft held with antivirus companies on September 10. While the event was private, Microsoft shared some insights later, mentioning their plans to introduce “new platform capabilities” in Windows.
Microsoft emphasized that the summit wasn’t meant for decision-making but was part of their effort to maintain transparency and engage the community. The event followed a major Windows outage in July, caused by a faulty CrowdStrike update. The issue stemmed from CrowdStrike’s software, which, like many antivirus programs, has access to the Windows kernel, a critical part of the operating system. The malfunctioning update crashed millions of computers because of this deep-level access.
Antivirus software uses kernel access to monitor malicious activities, but this can backfire if the software malfunctions. The July incident led Microsoft to reconsider kernel access for antivirus programs, potentially moving toward a model like Apple’s macOS. However, the company stopped short of this in their latest update.
Instead, Microsoft highlighted the call from customers and partners to develop “additional security capabilities outside of kernel mode.” These capabilities would allow antivirus programs to maintain protection without needing direct kernel access.
At the summit, Microsoft and its partners discussed the challenges of creating a new platform that meets the needs of security vendors, including performance issues, tamper resistance, and necessary security sensors. Though the company provided no specific details, they described the project as long-term and said they would continue working with partners to design the platform, aiming to enhance reliability without compromising security.
In the same post, Microsoft mentioned that the summit attendees agreed on the benefits of having options for security products in Windows. ESET, another antivirus provider, emphasized the importance of keeping kernel access available for cybersecurity products to ensure ongoing innovation and the ability to address future threats.
In the short term, Microsoft and antivirus vendors used the summit to share best practices for safely deploying security updates to Windows, discussing topics like improving testing and information sharing to ensure better compatibility and product health.
