HomeWinBuzzer NewsWindows Defender System Guard to Get Runtime Attestation

Windows Defender System Guard to Get Runtime Attestation

Windows Defender System Guard's runtime attestation will help detect kernel tampering, protect bank transactions, prevent cheating in games, and more. It will launch with the next Windows update.


made significant changes to the design of with the latest Insider update, but it's also adding to the System Guard arm. Windows Defender System Guard shipped with the Fall Creators Update and seeks to protect the integrity of your PC.

The technology incorporates features like Credential Guard, and will soon support runtime attestation. This feature is built into the core of Windows and will be delivered to all systems, protecting against the following threats:

  • “Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Windows Defender Advanced Threat Protection stack)
  • Detecting artifacts of kernel tampering, rootkits, and exploits
  • Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
  • Sensitive transactions (banking apps, trading platforms)
  • Conditional access (enabling and enhancing device security-based access policies)”

Aspects of runtime attestation will go live with the next update, with plans for future innovations to address emerging threats.

The Ransomware Threat

Like Credential Guard, runtime attestation makes use of Microsoft's Virtualization-based Security (VBS). This uses hardware virtualization features to securely isolate part of the system's memory. Windows can then host security solutions in this space for increased protection against vulnerabilities.

It's a clear help against attacks like WannaCry and NotPetya, and Microsoft acknowledges this inspiration.

“We believe that we can significantly raise the bar for security on locked-down platforms with modern hardware and appropriate security policies. In a world where direct privileged code-execution is difficult, we think that attacks will increasingly leverage data corruption,” said Microsoft's security team in a blog post. “The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable. One can think of runtime attestation as being more about detecting minute symptoms that can indicate an attack rather than looking for flashing signals.”

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.