Malware defense has reached an equilibrium of sorts. For the vast majority of threats there’s more or less a status quo détente—attackers crank out malware variants in staggering volumes and the antimalware software installed on your PC generally detects and blocks them. Device Guard is a new security feature in Windows 10 designed to protect you against those few threats that manage to circumvent standard antimalware defenses.
The weakness of standard antimalware protection is that it’s just an application running on the operating system, which is running on the PC. If an exploit can compromise the antimalware application itself or the underlying operating system it can hide itself and operate in stealth—undetected by your security software. Device Guard operates at an even lower level—relying on virtualization and the PC hardware—to ensure only trusted applications are allowed to execute.
The standard antimalware defense operates based on a “black list”. Security vendors identify threats and update the antimalware software so it has a current and comprehensive list of all known threats. As code executes on the PC it is compared against the list of known threats to detect and block malware. Any program that doesn’t match the signatures in the black list is allowed to run.
One of the problems with this approach is that it’s reactive. I’ve noted for years that it’s a poor and untenable position to rely on “protection” that basically only works after the threat is already in the wild. The bad guys always get the first move so an emerging threat may very well go undetected until or unless your security vendor identifies it and adds it to the black list. Plus, there’s the issue mentioned earlier of an exploit potentially subverting the security software by compromising the PC at the operating system level.
Device Guard uses an opposite approach to security—more of a “white list”. Microsoft’s Chris Hallum explained Device Guard in a blog post earlier this year. “It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization.”
In other words, an emerging malware exploit will not be able to bypass Device Guard because it won’t have a trusted signature. Device Guard is embedded at the hardware level in systems from vendors that support Device Guard. Right now that lists includes most of the major Windows PC OEMs like HP and Lenovo. Device Guard also functions in a separate, virtualized environment from the Windows 10 operating system so it can’t be affected even if Windows 10 itself is compromised. It also utilizes
Hallum explained, “You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.”
There is more administrative overhead involved in making sure that the applications you want to use are trusted by Device Guard. With a little effort, though, you can make sure that the applications you want are recognized and approved by Device Guard and the suspicious or malicious applications are simply not able to execute on your Windows 10 system.