AV vendors have worried that this could advantage Microsoft's security software.
See full article...
See full article...
Microsoft is trying to get antivirus software away from the Windows kernel
- Thread starter JournalBot
- Start date
zero trust should also mean the security vendors too.
not sure why we keeping giving them root access to everything
not sure why we keeping giving them root access to everything
Upvote
252
(255
/
-3)
The obvious answer to accusations of anti-competitive self-dealing would be for Microsoft to eat its own API dogfood here. Windows Defender should be the guinea pig for the new endpoint security API. If it's not good enough for Defender, it shouldn't be forced on third party products. If Defender can do its job from userspace using only the new API, then the API is ready.
Upvote
339
(345
/
-6)
Been waiting for the Ars article on this, and whether this was a good or bad idea (and the subsequent comments).
Upvote
32
(36
/
-4)
Interesting. The CrowdStrike failure also shows how badly most companies do change control.
I'd like to see Microsoft kick the DRM/Anticheat companies out of the Windows kernel as well.
I'd like to see Microsoft kick the DRM/Anticheat companies out of the Windows kernel as well.
Upvote
269
(271
/
-2)
"AV vendors have worried that this could advantage Microsoft's security software."
As in more advantage than Microsoft's security software already has?
As in more advantage than Microsoft's security software already has?
Upvote
47
(48
/
-1)
This is what I want.
Apple did this a while back and while I complained about shitty firewalls and anti malware for a while, macOS is absolutely solid because Apple kicked everyone out to user space, so now it’s their own fault if they mess up the kernel.
Upvote
175
(179
/
-4)
Dunno about the new BSoD (hey, same acronym!). Possibly thanks to decades of conditioning, that blue screen gets my attention immediately, but a black screen with text is normal everyday viewing, and I fear I wouldn't necessarily notice.
Upvote
126
(133
/
-7)
I agree fully with this. On an added note, there's no reason to think MS won't accidentally compromise their own anti-virus software through some mistaken update. MS has published bad updates before after all, so if they make an exception for their own software, it's rendering the entire point of such a restriction moot.
Upvote
65
(69
/
-4)
The BSOD is usually only visible long enough for the system to dump memory before it reboots, so you'd have to be looking right at it when it happens to catch it anyways.
Upvote
22
(30
/
-8)
Hopefully this will mean that kernel level anti-cheats aren't long for the world as well.
Upvote
87
(90
/
-3)
I could also see a very valid argument along the lines of "We, as the developers and maintainers of Windows, have the right to fix our product's security problems at a deeper level than third parties will be allowed to." Although, this argument relies on Windows Defender being a part of Windows rather than it's own sold-separately-product.
Upvote
57
(58
/
-1)
And nearly a year later it seems somehow Crowdstrike has received very little in repercussions for the most damaging outage in recent memory, while spending more than ever in federal lobbying.
Upvote
108
(109
/
-1)
Upvote
70
(74
/
-4)
Philosophically, I agree. Allowing kernel access seems to be the basis for so many OTHER problems, it should be locked down tight by the kernel makers. PRESUMABLY, they're not going to fuck it up with updates (yes, mocking laughter is permitted, because it's Microsoft, so we all know they're going to fuck it up with updates).
And when they do fuck it up, they take the heat and fix it, instead of pointing fingers at others who also have access to the kernel and obfuscate the matter until no one knows who to scream at to get the fucking thing fixed.
Or it could be option C: Announcing something with fanfare, doing minor tweaks and pretending the problem is fixed, but largely proceeding with the status quo, relying on pinkie swearing that the vendor's software doesn't access the kernel. Something like a license agreement tweak that will be just as carefully read by the vendors as TOS's are by the users...
That just seem to be how the world works these days. Unless something is actively burning profits into ash, it's throwing do-fer's at it that may, or may not, contain the fire, and rarely puts it entirely out.
Then again, Windows is becoming Google and wants to control everything and all data, so maybe they're getting anal about what others do to their computers (and I say their computers because Microsoft keeps doing shit to their users that turns the user's property mostly into Microsoft's property).
I won't say Linux is more or less secure, since I don't know that, but at least they let you be the one fucking with your property by asking for permission first, and letting you decide yea, or nay. Microsoft just abuses your shit in the middle of the night and doesn't even bother locking the door on the way out. So, while this may begin a trend to locking the door, the abusing of users' shit will continue.
Upvote
35
(44
/
-9)
Please please please kill off the kernel level anti-cheat software as well! This is like the only thing holding back linux gaming and if microsoft removes this "feature" suddenly all these game companies have to figure out a solution that would theoretically work on linux as well.
Upvote
65
(73
/
-8)
Are you blaming the customers? Because Crowdstrike offered zero control over their equivalent of DAT updates, there was no delay available, no rollback, no release mechanism. You had all of that over engine updates, and we took advantage of them, but the definition updates come down multiple times a day. The problem here is that they updated what most would consider the engine with a definition update and apparently pushed it out without deploying it even to an internal lab let alone pilot collections.
Upvote
27
(36
/
-9)
I mean, maybe.
There's already the recovery console, which can't actually provide access to files unless you have a bitlocker key (if applicable) and an administrator password.
Upvote
26
(26
/
0)
That's been a configurable setting.
I do notice the continued trend to present less information, not to mention it's now in tiny print, almost assuring that users will not be able to report what error message they had. At one point there was a QR code to provide additional information, that of course is gone too.
A very sensible improvement they could add would be if, after such an event, you would get a popup window that explains what happens and provides the error message and links to additional information. That obviously only helps if the computer is able to recover, but I think that's the case for the majority of BSODs. Instead, the computer just pretends nothing happened, giving you little hope that repeats will be prevented.
Upvote
51
(52
/
-1)
But still won't be informative to a human or search engine who just wants to know what broke and how to fix it.
Upvote
13
(19
/
-6)
I agree that kernel level checks need to GTFO, but I'm not convinced that whatever solution they'll replace them with won't break under Linux either.
Upvote
20
(23
/
-3)
QMR sounds a lot like my old ultimate backup plan: a properly formatted 3.5" disk to boot into DOS. Ubuntu's smart disks are an almost-reasonable approximation, although the size and boot time gives me an idea of why boot disks stopped being practicable.
Upvote
6
(6
/
0)
Yeah, I was pretty confused when the CrowdStrike outage happened and I learned about the existence of this product, it seems like a complete paradox to pretend to be secure because you're giving a single company full kernel level access to all your systems...
Like am I just crazy or does this not make any goddamn sense at all?
Stop giving more money to this grift already...
Last edited:
Upvote
5
(22
/
-17)
It's a while ago I did IT support, but doesn't/didn't Windows have something like QMR? I'm a bit surprised they didn't rightaway construct THAT with this kind of failure in mind?
Two: doesn't moving code out of the kernel necessarilly mean that some types of mallware will stay out of reach of those "non-kernel" security applications?
Two: doesn't moving code out of the kernel necessarilly mean that some types of mallware will stay out of reach of those "non-kernel" security applications?
Upvote
10
(10
/
0)
Surely you jest. This reads like one of those "hilarious" imaginary dialogues you often find in online comment sections, which look like this:Andrew Cunningham said:
R. Developer: Mr. Ballmer, sir!
S. Nadella: Yes? I mean, stop calling me that!
R. Developer: Sorry! I've just thought of a way to eliminate blue screen of deaths!
S. Nadella: Will it use more resources? Will you need to write dozens upon dozens of lines of code?
R. Developer: No and no.
S. Nadella: Hơw effective is this? 3%? 5.2%?
R. Developer: 100%.
S. Nadella: Well, then, go ahead. I'll talk with PR straight away. Imagine! No more blue screen of deaths!
Developer #2: That's impossible.
R. Developer: Not at all.
FIND :3376D1, REPLACE :000000
Goodness.Andrew Cunningham said:
How could anyone possibly improve the readability of a BSoD while preserving ALL OF THAT technical information?
Upvote
122
(124
/
-2)
Based on the description, it appears QMR has the ability to let Microsoft push updates to the OS partition. Possibly this requires Administrator password and Bitlocker key, but since they're rolling it out to Home by default and opt-in for other tiers, it sounds like they've got some mechanism to push signed updates from Microsoft without requiring too much hands-on-keyboard expertise. This introduces new opportunities for impersonation attacks and flaws in whatever they added to enable load and execution of the update packages.
Upvote
15
(15
/
0)
In this day and age, why don't they stick a QR code on the screen too? Then someone can easily capture it and submit it directly to MS from their phone to retrieve more detailed technical information.
Upvote
11
(14
/
-3)
Upvote
15
(15
/
0)
I took their comment to mean that ClownStrike - oops, I mean crowd strike - has terrible change control.
Upvote
28
(30
/
-2)
It is a consequence of Windows application security model, which assumes by default that software is trustworthy and then tries to detect bad behavior after the fact. If you're a large organization that needs to protect your systems and data you end up needing something like Crowdstrike to detect compromised software or you're going to get destroyed by ransomware, bitcoin miners, IP theft and the like. It would be better if MS would improve what is built into Windows itself (sandbox apps, more protective permission model, less allowing software to install by requesting admin permissions, etc), but until that happens this is the least terrible option.
Upvote
13
(17
/
-4)
I'm a newb to Linux gaming, but have spent a very happy couple of months not booting Windows on my personal computers. Valve has really made it easy to get your Windows games running through Steam and some shops are releasing Linux-native premium games. Epic and other industry players are really starting to notice and making Anti-cheat much more approachable than it had been. (I cannot personally verify that, yet). Mildly better framerates and generally smoother all-around performance on an OS that isn't rampantly spying on you or popping up ads everywhere.
FWIW (and closer to the topic), I've been using Kubuntu, but they have a black screen of death that plagues Intel (I have an A770 LE) and Nvidia owners - I chuckled when I saw this article. I'm installing Fedora's KDE spin tonight and trying my luck with that. Lots of people I've seen on Ars report being happy with Bazzite, which comes with Steam pre-installed.
Upvote
13
(14
/
-1)
Upvote
12
(12
/
0)
Some good developments for once! Stability and recoverability are vital, so as long as we can be safe whilst having that it's smooth sailing 
Upvote
6
(6
/
0)
I'm still baffled that changes/updates to software in kernel space didn't create a windows restore point. Like the whole point of that system was so that if an update happened that prevented it from booting, it would automatically rollback to the restore point...
Definitely kicking software out of kernel space is still the right thing to do, but they should also be more liberal with setting restore points. I mean hell, everytime you update linux you can boot to the prior kernel version if you borked something. (and for me the last 4 kernel verisons)
Definitely kicking software out of kernel space is still the right thing to do, but they should also be more liberal with setting restore points. I mean hell, everytime you update linux you can boot to the prior kernel version if you borked something. (and for me the last 4 kernel verisons)
Upvote
15
(18
/
-3)
If there’s a screen issue, a black screen and a non operative screen can be easily confused, albeit it should be rare that the text is offscreen or on another screen. I thought blue was chosen for this reason, in fact.
Upvote
20
(21
/
-1)
Apple is allowed to do this. They can cut off kernel access. Why is Microsoft penalized here. It makes no sense.
Upvote
21
(21
/
0)