Analysis: Microsoft Won’t Evict Security Vendors From The Windows Kernel Anytime Soon

While Microsoft is taking steps to provide an alternative way for endpoint security vendors to operate in Windows following the massive July outage, there are no signs this new option will become compulsory in the near future.

This week, Microsoft confirmed that it’s doing the reasonable thing after the massive outage in July that crippled millions of its Windows devices worldwide. It’s making some changes.

Notably however, those changes don’t include kicking vendors out of the Windows kernel. Access to the kernel—which is the core control center of Windows—enabled a faulty CrowdStrike Falcon update to send 8.5 million Windows devices into a “blue screen of death” state, leading to major societal disruptions that lasted for several days.

So what is Microsoft doing, exactly? For starters, the tech giant is providing a way for IT admins to deploy fixes to Windows devices even when those devices can’t be booted up. The impacts of the outage in July would likely have been greatly reduced if this sort of thing was available at the time, since the need for a manual fix to each Windows system was why the recovery took days instead of hours.

For the cybersecurity industry though, there are bigger implications in the second announcement from Microsoft this week. In response to calls for Microsoft to offer an alternative to kernel access for security vendors, Windows security chief David Weston confirmed that an option of this type is indeed in the works.

“We are developing new Windows capabilities that will allow security product developers to build their products outside of kernel mode,” Weston wrote in his post Tuesday.

As a result, security tools will be able to run in the same part of the operating system that applications do, known as “user mode.”

Two things struck me about the announcement, though.

One is that there was no indication that Microsoft is thinking of making this user-mode option into the only option, in effect barring security vendors from the kernel. At least not anytime soon.

In the wake of the outage, multiple security vendors (not just CrowdStrike) have made the case that kernel access is crucial to what they do and, thus, is a non-negotiable component of cybersecurity.

For instance, Sophos CEO Joe Levy told me that kernel access is essential because every endpoint security vendor is doing battle with cyber adversaries who want to disable their tools.

“They want to turn us off, or uninstall us, or defeat our ability to do the monitoring and process control that we need to do in order to stop malware from running, in order to stop ransomware from executing,” Levy said. “So we have to operate at the kernel level in order to defend ourselves against evasion or eviction.”

Microsoft has not yet provided specifics on their plans for the “user mode” alternative to kernel access. And so at this point it’s not clear whether the new capabilities might address the issue that Levy is describing here, whereby enabling security tools to operate entirely outside the kernel.

(I’ve reached out to Microsoft and will update this post if I receive a response.)

The second thing that struck me is that Microsoft is not exactly rushing to provide these new capabilities.

Security vendors will have to wait until next July to try them out, when Microsoft plans to launch the capabilities as a private preview. And there’s no word yet on when this kernel alternative might be ready for prime time.

Maybe none of this should be surprising.

I spoke recently with Eric Grenier, director analyst at Gartner focused on endpoint security, who in his former life was manager of endpoint engineering at Yale University.

That is, Grenier knows from first-hand experience how the Windows world operates. And most of its big moves take place gradually.

“Major changes take years in the Windows world,” he said during our interview (which, in full disclosure, was prior to the Microsoft announcement this week but still seems applicable.)

“Part of it has to be recoding windows to a certain degree. Some of it has to be the vendors recoding their platforms,” Grenier told me. “And all of that takes time.”