1w ago

Microsoft is moving antivirus providers out of the Windows kernel

www.theverge.com Microsoft is moving antivirus providers out of the Windows kernel

Microsoft wants to avoid another CrowdStrike incident.

28 comments

Cool. Do anticheat vendors next.
- Do them now! Haha
- Another big area of Windows that uses kernel-level drivers is anti-cheating engines for games. Microsoft has been speaking with game developers about how to reduce the amount of kernel usage, but it’s a more complicated use case as cheaters often have to purposefully tamper with their machine to disable protections and get cheating engines running.
  “A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,” Weston says. “We’ve been talking about the requirements there, and I think we’ll have more to say on that in the near future.” Riot Games told me last year that it’s willing to follow potential Windows security changes and “recede from the kernel space.”
  
  "A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,"
  I don't know if I'm reading it in the way it was intended, but I'm laughing my ass off.
  
  I don't know if this is Windows trying to stop hemorrhaging users to Linux, but if they go ahead with this it will likely hilariously backfire and make multiplayer games become even more compatible with Linux.
  Steam is already rubbing their hands grubbingly.
  
  I fucking called this after the Crowd Strike catastrophe.
  MSFT would start massively reworking their entire concept of who actually gets kernel access, because uh, causing a Y2K event is uh, really bad, actually.... and yep, that probably means the kernel level AC paradigm is no longer workable.
  Fucking obviously duh, wow, turns out just letting any old 'vetted' vendor submit goddamned kernel level code updates without being strenuously verified each time is a bad fucking idea, wow, who could have guessed??!?
  
  Vanguard is the only thing holding me to windows. Microsoft and Riot pls

I wonder whether solutions like Twincat for industrial PC/PLCs will be affected by this. Interfacing directly with the kernel and replacing the scheduler are, AFAIK, fundamental to making Windows viable for real time use.
- An interesting question. Assuming they're only targeting security/antivirus products at the moment (see the discussion regarding anti-cheat) it may be that those applications get a pass for now.
  
  No I think they are limiting kernel access. These are just what moist people know that would use it.
- I could see some exception for windows 11 IoT being made, but I honestly don’t know.

Wouldn’t it have made more sense for them to improve the boot recovery process instead?
If the system fails to boot after a driver update, roll back the update and inform the user on startup.
- AFAIK the Crowdstrike issue wasn't a driver update, just virus definitions outside the driver, so your method wouldn't have helped.

Another big area of Windows that uses kernel-level drivers is anti-cheating engines for games. Microsoft has been speaking with game developers about how to reduce the amount of kernel usage, but it’s a more complicated use case as cheaters often have to purposefully tamper with their machine to disable protections and get cheating engines running.
“A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,” Weston says. “We’ve been talking about the requirements there, and I think we’ll have more to say on that in the near future.” Riot Games told me last year that it’s willing to follow potential Windows security changes and “recede from the kernel space.”

Here’s hoping anticheat goes with them.

28 comments