Microsoft has dropped dire hints that change is coming to the way its security products interact with the core of the Windows platform, its software, prompted by an IT outage that disrupted millions of CrowdStrike customers in July.
For security vendors, being able to load kernel (ring zero) drivers is important. If Microsoft removes that access — something Apple did for macOS in 2019 — their products will need to be heavily redesigned to implement less privileged security.
What is not clear, however, is what kind of change it will take and on what time scale. Hanging over this is whether Microsoft’s Defender will be affected, or survive. Although it is not fully exposed as a standalone discovery and response (EDR) client, it is likely that it will continue to work at the kernel level.
Source link