Windows already has fairly effective controls that analyze applications and decide which ones should be allowed to run and which might be a threat. The problem is that Windows itself can be compromised, which means attackers can potentially hijack or manipulate those decisions. Device Guard is a new technology from Microsoft that isolates those security decisions in a separate environment from the OS for better protection.
I wrote a blog post about the new Device Guard protection from Microsoft:
Malware and exploits have a distinct advantage: they always get the first move. Traditional antimalware and security tools are reactive and based on detecting and blocking known threats. A threat can’t be known, however, until it exists and affects something or someone first. It’s a poor model for defense. Microsoft proposes to change that with Device Guard.
There are already controls in place within Windows that make determinations about whether or not an application can be trusted and should be allowed to execute. The Achilles heel of that approach is that some rootkits and exploits are capable of compromising Windows at the kernel level–below where those decisions are made. That means the malware itself can alter, override, or circumvent those decisions and execute anyway.
Device Guard takes the protection to a new level. It uses technology embedded at the hardware level, combined with virtualization, to separate the decision-making process from the Windows operating system. Microsoft’s Chris Hallum explained in a blog post that this isolation prevents malware and exploits from executing, even in the event that the attacker has full access to the system. “This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others that are subject to tampering by an administrator or malware.”
Microsoft already has support from most of its biggest OEMs to produce hardware capable of supporting Device Guard. HP, Acer, Lenovo, Toshiba, Fujitsu and others will manufacture systems designed for the new Microsoft security controls.
Read the full article at TechRepublic: Microsoft takes security to a new level with Device Guard.