Microsoft is planning a new feature for Windows Defender that will continually check for system integrity, informing users if any secure part of the operating system has been compromised.
- An upcoming feature of Windows Defender, called runtime attestation, will be able to detect the most minute signs of security compromise, all the way down to the kernel level.
- Runtime attestation hasn’t been given a release date, but the basic features necessary to operate it will be released with the next version of Windows 10.
A feature added to the latest test build of Windows 10 is making Windows Defender a next-level security tool that can detect changes anywhere in a system, all the way down to kernel changes.
Called Windows Defender System Guard runtime attestation, the new security feature is designed to protect against system tampering that Windows Defender may otherwise miss.
Runtime attestation is designed to improve antivirus software detection, detect changes caused by rootkits, kernel tampering, and other exploits, ensure security of sensitive transactions, and ensure conditional access systems are secure.
Microsoft plans to roll out the building blocks for runtime attestation in the next version of Windows 10, but a full implementation may take some time, starting with APIs that allow Windows Defender to talk to sensitive system processes.
How runtime attestation protects Windows computers
Runtime attestation is complicated, but at its most basic level it’s simply Windows Defender having the capability to inspect and attest to the integrity of the lowest level of a Windows system.
Defender and the Windows components it attests to as being secure talk using an API that relays data to Defender, which in turn inspects it looking for changes. If none are found Defender will attest to the integrity of that component; if changes are found an error code will be returned and the user will be notified.
Runtime attestation has to be secure and encrypted to prevent an attacker from altering reports, which Microsoft has accounted for by using a virtualization-based security enclave to construct a secure kernel that the main Windows kernel can’t tamper with.
All of the attestation is done by the secure kernel, the end result of which is security validation that an attacker or malware in the Windows kernel can’t alter.
Microsoft gives an example where “an app could ask Windows Defender System Guard to measure the security of the system from the hardware-backed enclave and return a report. The details in this report can be used by the app to decide whether it performs a sensitive financial transaction or display personal information.”
The end goal of runtime attestation is to create a security system that can detect the most minute of symptoms, Microsoft said. “The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable.”
Don’t expect to see all the features of secure attestation in the next build of Windows 10—it will likely be some time until it is a full Windows feature. Microsoft hasn’t given a timeline outside of the release of groundwork elements due out soon.