Security vendors will have an increasingly hard time making a case for expensive subscriptions as Microsoft keeps pushing Windows to be “secure enough” out of the box. Windows 8 adds a number of impressive features that really should make a difference in the “ecosystem”.
The main feature chart for security improvements in Windows 8 is described by the ubiquitous Steven Sinofsky of Microsoft in this blog entry entitled “Protecting you from malware”.
It’s most of the way down the article, but the point that has gotten the most press is the fact that Microsoft will include, in effect, their Security Essentials antivirus product. They’re rolling those capabilities into Windows Defender, which began life as an “antispyware” product (a questionable product category at the time and a long-obsolete one now). Suddenly Defender becomes relevant.
Neil Rubenking of PCMag asks a more specific version of the same question I ask: Will Windows 8 Destroy the Consumer Antivirus Market? Neil asks many respected representatives of many respected security companies about it and they’re all pretty much of the opinion that Security Essentials isn’t in their class of product. They make a lot of good points. In any serious anti-malware test I’ve seen, Microsoft Security Essentials is at best average, probably a little below average. But for a number of reasons it may be good enough in Windows 8.
The are several reasons why I feel this way; first of all, there’s the fact that it’s included in the product, turned on by default and updated frequently. There are the other architectural improvements described by Sinofsky, including increased use of ASLR, increased protection for the heap, and special protections to block “use after free” vulnerabilities. None of these are airtight and when a method is found to bypass one of them it generates a lot of press, but it’s indisputable that they raise the bar for attacking Windows and Windows apps substantially.
But the main reason I think malware may meet its match in Windows 8 is the inclusion of SmartScreen, an executable file reputation service previously implemented in Internet Explorer. I’ve discussed this before, but Microsoft has now made the feature official. Along with Defender and the other security improvements in Windows and IE, SmartScreen adds the likelihood of flagging all unknown malware. Unless attackers find some way to game the reputation system—a problem which Microsoft has undoubtedly considered and is on guard against—any new malware which would evade Defender and other anti-virus products would be flagged as “not commonly downloaded and could harm your computer”.
The configuration of this particular feature is a high-risk/high-reward point for Microsoft. Remember that this isn’t even beta code and the buttons in the dialog box above (not really a “box” anymore, but anyway…) may change. Some would say that users will tune out warnings like this and just click “Run”. To the extent that’s true, they’ve been warned and you can only do so much to protect people against their own reckless behavior. But Microsoft says it’s not that true. Sinofsky:
We expect average users to see a SmartScreen prompt less than twice per year and when they do see it, it will signify a higher risk scenario. Telemetry data shows 92 percent of applications downloaded via Internet Explorer 9 already have an established reputation and show no warnings. The same data shows that when an application reputation warning is shown, the risk of getting a malware infection by running it is 25-70 percent.
If you’re still worried about your users ignoring the warnings, Sinofsky adds: “SmartScreen gives you administrative controls to prevent your non-techie friends or children from ignoring these warnings”.
That still leaves the problem of false positives, the 30-75 percent complement to the risk Sinofsky cites. While I’m sure that very few users will be affected by a meaningful false positive, this is the part that has me concerned, because the only real answer, I think, is user judgement. For instance, if the user knows to expect a modified program from a developer then they may be able to see that the SmartScreen warning is a false one. It all depends on the circumstances.
This is why I think Microsoft has to make the SmartScreen warning dialogs more verbose and instructive. Perhaps there could even be a wizard of some kind at this stage. I think it’s worth trying to get the most out of the user at this point, because the benefits would be substantial: entire serious categories of malware could be rendered obsolete. It’s a pleasant thought at least.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb’s Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension’s Intelligent Whitelisting site.