Microsoft: Malware Signatures to be Rolled Into Online Updates
At a conference for its business customers in Los Angeles this morning, Microsoft Senior Vice President for Server and Tools Bob Muglia revealed that, as part of the company's upgrade of Systems Management Server to become "Systems Center Configuration Manager," the company will begin deploying malware signatures - perhaps on an as-discovered basis - as part of its online updates and patches sent to Windows Server customers.
The revelation came as the company unveiled two new product lines: Forefront for enterprise-oriented security tools, and System Center, which will not only envelop the old SMS but also Microsoft Operations Manager as well. MOM, as she was affectionately known, will now be called System Center Operations Manager; and through this common console, as product manager Kuleen Bharadwaj demonstrated, administrators will be able to poll Microsoft's network for Forefront support as often as policy may dictate, not just for patches but also for virus, adware, and other malware signatures as well.
What's important about this revelation is that, under the Forefront system, signature distribution is centrally administered. In many enterprises where anti-virus and other anti-malware software is deployed, users of client operating systems are the ones entrusted with making certain their signature files are up-to-date. Under the new system, client users may be relieved of the duty of updating their own protection, ceding that responsibility to the new System Center Configuration Manager - the same tool from which operating system images in the new WIM image format can be deployed.
But Microsoft's new signature files may be substantially different than what we've seen from security software firms in the past. As Muglia stated this morning, Microsoft has invested hundreds of millions of dollars into what he calls the "Dynamic Systems Initiative," which he describes as "a long-term, focused approach all of Microsoft that takes to build an infrastructure that enables a new generation of security and management products."
That phrase could perhaps use some deflation. Essentially, Muglia is saying that Microsoft is adopting its own internal policies for software product security auditing, using tools which it then intends to offer for sale - including tools in the Forefront product line.
Among these tools could be something - the precise definition of which still seems uncertain - that utilizes signatures in a different way, not just to help recognize the identity of malware but to aid in symbolizing the behavior of malware with respect to the operating system and to other applications. For that to work, Muglia implied, third parties who produce those applications would be called upon to cooperate.
Using equally fuzzy language, Muglia referred to "model-driven technology to capture the essence of an application, and enable a complete lifecycle of that application from the early definition through the design and development into the deployment and then into the update stages. How can we capture that data in models to simplify the management process?" He went on to challenge the audience to locate some kind of "infrastructure" on any operating system, including Windows, that adequately describes all of the components of an application and their relationships to one another. "It doesn't exist," he said. Such an infrastructure, he added, "is not a part of the core infrastructure of Linux, Unix, mainframes, Windows - none of those platforms have it."
An infrastructure within an infrastructure? What Muglia means is, one of the problems Microsoft and others have encountered in trying to improve the effectiveness of signatures for bad software is that there is no classification structure in place for good software. In fact, Windows may have been closest to such a structure several years ago, with the Component Object Model, but may have ironically drifted away from such a system with the embrace of .NET architecture, out of the need to create a more securable, managed software environment.
So the future solution Muglia implied is one where the behavior of good software - the status quo of the way things should be - is easily recognized, by way of modeling. Consider the logic to that approach for a minute: Rather than wait for behavioral models for bad software interaction to become available every month or every Tuesday or whenever, and then apply those models to running environments to see what matches, why not have persistent behavioral models for good software, and then provide tools for excluding behavior that doesn't match?
"We've made a lot of investments over the last few years in Operations Manager," Muglia told the audience, "to build it into an industry leading tool in understanding the state and health of machines in an organization. And with the new release of Operations Manager, we focused on understanding services as a whole - service-level management versus machine-level management. We do that using models. Models are the basis for that. Without models, we couldn't understand all the components of a service and bring those together."
Documentation made public over the past few weeks by Microsoft also reveals plans to upgrade the ability of management tools such as the new SCOM to disallow network interactions between computers not deemed "healthy." By that, Microsoft means clients on a network whose local security audits reveal they have not received the most recent updates.
Security policies on new Windows Server networks with System Center tools installed can be configured to place non-updated systems in a kind of restricted mode, preventing them from accessing other machines in the network except the designated update deployment server. Once those updates are installed, the audit repeated, and the client checks out, it can re-enter the network.
As today's demonstration made clear, malware signatures as well as future behavioral signatures may be among those items that network policies may require for clients to attain a clean bill of health for their local audits.
Responding to today's demonstration, a representative of Symantec issued a statement reminding prospective customers that Microsoft's new Forefront tools have been said to use the same anti-virus protection technology as in OneCare, the company's consumer-level security service; and that OneCare failed the VB100 test from Virus Bulletin.
The statement went on to promise Symantec's future enterprise level security service, code-named "Hamlet," will "combine signature-based protection and proactive protection from zero-day threats in a single endpoint agent," though Symantec did not go on to distinguish its service from what Microsoft revealed this morning.