Security firm Bitdefender recently ran a test revealing that Windows 8 stopped 85 percent of known threats right out of the box – stopping just over 327 malware signatures out of the 385 signatures tested on the operating system. While it should be noted that this is a significant improvement when compared with the same test on Windows 7, which only stopped 16 percent of the same threats (61 signatures), it’s hardly good enough to properly secure devices against zero-day threats or even common malware.
While the OS’s security is improved, it still failed to stop 15 percent of the most common malware signatures out there. Windows 8 also claims to have new application control functions built in. This offers more flexibility and user control over individual security, but hardly sufficient application control to thwart advanced persistent threats. In a recent whitepaper, Brien Posey, Microsoft MVP, had some interesting insights about application control on the Windows 8 platform.
AppLocker is Microsoft’s primary solution used to replace Software Restriction Policies introduced with Windows XP. AppLocker rules are determined by three elements of an application: publisher, path or file hash, rather than file type. The solution offers added protection and control, but is not a comprehensive application control solution.
Application SmartScreen is increasingly integrating into Web-based products like Internet Explorer 9, in order to defend against malware. As Posey illustrates in the whitepaper, “when a user attempts to install an application onto Windows 8, the OS creates a hash of the application. Windows uses this hash to locate the application within a reputation database and refers to the database’s contents to determine the application’s legitimacy.”
That sounds great, but without the ability to set administrative policies, there’s no way for administrators to control/manage which applications are allowed to run, and which ones will be blocked. Also, if the app is blocked the end user can still veto the blockade. This makes it difficult for administrators to set policies while ensuring their enforcement across each endpoint/server. So this may serve as a helpful antivirus method, but it’s hardly application control.
These solutions are welcome functions within an operating system attempting to ensure the best protection, but they still fall significantly short. This is largely because application control is better suited to third-party alternatives that can centralize control of applications. Windows also has trouble identifying and differentiating patch updates on approved third-party software from legitimately unauthorized apps – blocking both. This may require labor-intensive management if already installed and approved applications on endpoints receive frequent updates. Posey recommends Bit9’s trust-based solution to help achieve full application control to defend against advanced threats like Stuxnet, Flame and Gauss, and it’s really the only way to secure intellectual property while locking down critical assets such as domain controllers, servers and endpoints.