Microsoft announces that they intend to incorporate antivirus into Windows 8 OS and creates a flurry of interest. My first reaction was, "finally, a top security story that doesn't involve APT, hacktivism, or $leaks". The announcement is a significant event and will no doubt change antivirus in several ways. Embedding antivirus measures in the Windows OS deserves a bit more scrutiny than speculating when the litigation will begin. Here are some reasons to welcome - or worry about - Windows 8 AV.
Five reasons to worry about Windows 8 AV
A monoculture will emerge. The worry that all third party antivirus will disappear, leaving us only with what Microsoft delivers is rather silly. Malware, whether zero-day or known, relies on communication among infected machines or to command and control. AV vendors will continue a shift from a host-centric approach to malware detection and mitigation to an approach that incorporates and increasingly relies on network traffic analysis. Rather than disappear, third party AV may get better. Transparency and reporting could become issues. We'll have to wait to see.
A monoculture antivirus defense is more easily targeted. While it is true that a common AV is also a common target, Microsoft should be able to better insulate embedded OS functionality attacks in general as well as against attacks that seek to disable AV. A related worry is whether we'll see a resurgence of malware that is destructive when it is detected or when attempts are made to remove malware components. A "Parasite kills the host" strategy seems counter to the revenue model for online crime, which relies on victims using their PCs for banking, buying, etc. It's more likely that criminals will shift even faster to mobile devices than cannibalize their user base.
The quality and feature set of an embedded AV will prove to be sub-par. Some will argue that Windows Firewall is ample evidence that Windows 8 AV will be less than is needed or ineffective. The same argument was made when Microsoft incorporated a TCP/IP kernel. A bad AV is a disaster scenario for Microsoft and Windows users but one that the company ought to be able to avoid if it successfully leverages - and improves - Windows Defender and Microsoft Security Essentials.
The embedded OS will cause conflicts with COTS AV. This outcome is easily avoided. Microsoft can manage the conflicts issue by exposing an API to third party security developers who can then develop products that leverage rather than compete or conflict with embedded functionality. Utilizing a baseline of antivirus functionality as a building block for better AV and avoiding duplication of this functionality can be win scenario for AV vendors and users. We may end up with a better overall security profile with a "baseline plus complementary" approach.
Will Microsoft stay the course? Providing what could evolve to the accepted baseline for AV and managing market expectations of that baseline could become a bigger investment and responsibility than MSFT is willing to bear in the future. Microsoft's malware research and its recent aggressive tactics against botnets suggests they are in the fight for the long haul and that they intend to stay competitive. If they change gears with future versions of Windows, the world wont end. We'd very likely return to what we have today.
Five reasons to welcome Windows 8 AV
Windows 8 AV sets a new baseline for host resident AV. Monoculture or not, having AV on every Windows 8 host ought to improve the current situation. 8AV wont alter the zero-attack problem space but surely it would be A Good Thing if all Windows 8 (and future Windows) hosts were able to detect known infections, would offer protection against bootable removable media infected with malware, etc.? It's not clear whether (or when) Microsoft would move AV "to the cloud" but this, too, would seem to be a good thing.
Windows 8 AV will stimulate for innovation in AV. The AV community is beseiged with criticism regarding the efficacy of host resident AV. Building on the Windows OS resident AV should allow AV vendors to avoid duplication and focus on adding new value. Diverting funding to R&D that would otherwise be spent across the industry, by each vendor, to develop detection and mitigation for mostly the same malware and variants sounds pretty good to me.
The move will stimulate greater collaboration - and scrutiny. Collaboration among AV vendors and MSFT will be a necessary condition for success and it will be essential if we are to manage the global malware threat. The AV community will surely watchdog Microsoft to ensure that its embedded AV meets expectation. Features that Microsoft fails to include will be fair game for innovative and agile AV vendors.
The move will thin the herd. AV vendors who cannot adapt will disappear. The AV vendors who survive will have developed complementary security measures that security-minded users or enterprises will be willing and eager to purchase. This is no different from the situation TCP/IP stack vendors faced when Microsoft incorporated a TCP/IP kernel into the OS.
AV vendors will be forced to look at the network. Host resident AV is no longer sufficient in and of itself to detect malware. Network traffic analysis reveals complementary (there's that word again) and critically important insights into what miscreants are doing, where the infected hosts are, and how they are being commanded and coordinated. Many attacks are detected through network traffic analysis today. Traffic is scoped back to source hosts and processes and AV engineers use this to analyze and deconstruct malware. This analysis will become more prominent and effective.
Much ado over AV
Windows 8 AV won't kill or even corner the antivirus industry. The malware threat reaches well beyond Windows PCs. When I shared these thoughts with my partner, Lisa Phifer, she offered the following comment, a great conclusion for this column:
"Expect antimalware to continue to be applied at multiple points - endpoint, network, server, cloud - for layered defense. At the same time, virtualization and mobility are turning endpoints back into dumb terminals that run virtual apps and house secure vaults. At least on those endpoints, this trend is already deemphasizing resident AV and pushing AV scanning into the cloud. Host OS's don't fall into this bucket yet. But you can see demand growing for endpoint OS's that are inherently secure and manageable, but relatively simple above that. Embedded AV - if streamlined and focused on low-level threats - kind of fits into that evolution."