Recent developments at Microsoft suggest a significant shift may be on the horizon regarding the interaction of security products with the Windows software kernel. This potential transformation has been catalyzed by a notable IT outage in July that impacted millions of CrowdStrike customers, prompting a reevaluation of security protocols.
Impending Changes in Windows Security Architecture
For security vendors, the ability to load kernel (ring zero) drivers is paramount. Should Microsoft decide to restrict this access—following a precedent set by Apple in 2019 with macOS—vendors will face the daunting task of redesigning their products. This would necessitate implementing security measures with lower privileges, fundamentally altering how these solutions operate within the Windows ecosystem.
As the industry watches closely, questions remain regarding the specifics of any forthcoming changes and their timeline. A critical consideration is whether Microsoft’s own Defender will be affected by these adjustments or if it will retain its kernel-level access. While Defender may not boast the extensive features of independent endpoint detection and response (EDR) solutions, its continued operation at the kernel level could play a crucial role in the overall security landscape.
