Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Announces Device Guard For Windows 10

Posted by Soulskill on from the throwing-up-a-new-moat dept.

jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.

4 of 190 comments (clear)

  1. Re:FTFY by Anonymous Coward · · Score: 5, Informative

    This is an optional feature, mainly targeted for enterprise use. The system administrator chooses what to whitelist. Also, any app can be self-signed.

    Quite nice feature if you want to prevent random executables from conquering the computer. Of course this does not protect from vulnerabilities contained inside any of the trusted apps.

  2. Won't guard against signed malware by Anonymous Coward · · Score: 2, Informative

    Remember that Stuxnet used drivers signed with "stolen" Realtek and JMicron certificates. Lots of malware is signed with fake, stolen, or weak certs. Hell, some manufacturers like Lenovo even included malware like Superfish on new laptops. Will Deviceguard prevent that from happening?

  3. Re:privacy :{ by Howitzer86 · · Score: 5, Informative

    I had to turn off UAC in Windows 8 to compile and automatically copy my plugin project to its proper directory because that directory is under Programs Files. This was necessary because I had set the host program to start immediately afterwards in order to debug my plugin as it ran. This worked, but in doing so, I lost access to my Windows 8 apps. I only use a few, but it was annoying enough that I eventually moved the project to a Windows 7 machine (and you don't have to turn UAC off completely, it's just as far as Windows 8 is concerned, if that one registry entry concerning protected directories is toggled off the whole thing is compromised).

    So, while any rebuttals here to the effect that "undoubtedly you can turn this off" are probably accurate, I wouldn't be surprised if there were things like this built into the system to encourage the user to keep it on. "Want to develop software on your PC? Well, either apply for a personal certificate or stop using Metro apps." It won't really stop developers, but it could shut down new user interest outside of closed markets.

  4. Re:Whitelisting executables... by Greyfox · · Score: 4, Informative
    "Trusted Malware Suppliers"

    You mean, like SONY?

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?