Microsoft made significant changes to the design of Windows Defender with the latest Insider update, but it’s also adding to the System Guard arm. Windows Defender System Guard shipped with the Fall Creators Update and seeks to protect the integrity of your PC.

The technology incorporates features like Credential Guard, and will soon support runtime attestation. This feature is built into the core of Windows and will be delivered to all systems, protecting against the following threats:

  • “Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Windows Defender Advanced Threat Protection stack)
  • Detecting artifacts of kernel tampering, rootkits, and exploits
  • Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
  • Sensitive transactions (banking apps, trading platforms)
  • Conditional access (enabling and enhancing device security-based access policies)”

Aspects of runtime attestation will go live with the next Windows 10 update, with plans for future innovations to address emerging threats.

The Ransomware Threat

Like Credential Guard, runtime attestation makes use of Microsoft’s Virtualization-based Security (VBS). This uses hardware virtualization features to securely isolate part of the system’s memory. Windows can then host security solutions in this space for increased protection against vulnerabilities.

It’s a clear help against ransomware attacks like WannaCry and NotPetya, and Microsoft acknowledges this inspiration.

“We believe that we can significantly raise the bar for security on locked-down platforms with modern hardware and appropriate security policies. In a world where direct privileged code-execution is difficult, we think that attacks will increasingly leverage data corruption,” said Microsoft’s security team in a blog post. “The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable. One can think of runtime attestation as being more about detecting minute symptoms that can indicate an attack rather than looking for flashing signals.”