{"id":192033,"date":"2026-03-02T08:19:00","date_gmt":"2026-03-02T13:19:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/02\/how-microsoft-partners-are-tackling-huge-huge-task-of-making-security-software-safer\/"},"modified":"2026-03-02T08:30:11","modified_gmt":"2026-03-02T13:30:11","slug":"how-microsoft-partners-are-tackling-huge-huge-task-of-making-security-software-safer","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/02\/how-microsoft-partners-are-tackling-huge-huge-task-of-making-security-software-safer\/","title":{"rendered":"How Microsoft, partners are tackling \u2018huge, huge task\u2019 of making security software safer"},"content":{"rendered":"

How Microsoft, partners are tackling \u2018huge, huge task\u2019 of making security software safer<\/a><\/p>\n

https:\/\/www.cybersecuritydive.com\/news\/microsoft-windows-resilience-initiative-security-kernel\/813416\/<\/a><\/p>\n

Publish Date: 2026-03-02 08:19:00<\/a><\/p>\n

Source Domain: www.cybersecuritydive.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Microsoft and its partners are quietly grinding away on a massive project to completely redesign how cybersecurity software runs in Windows, with the hope of making it more resilient. But it could be years before customers see the results of one of the most ambitious software engineering transformations in decades.
\nThe project, known as the Windows Resiliency Initiative, is intended to protect Windows computers from the disruptive effects of defective third-party software running inside the kernel, the operating system\u2019s most powerful environment. Microsoft announced the effort after a faulty CrowdStrike software update in 2024 paralyzed millions of computers and caused billions of dollars in damages. The outage affected governments, critical infrastructure organizations and Fortune 500 companies and prompted widespread discussions about the risks of third-party code in the kernel.<\/p>\n

The result is an unprecedented collaboration between Microsoft and third-party security vendors to redesign Windows, as well as products like endpoint detection and response (EDR) software and antivirus applications, in ways that improve resilience without sacrificing security or speed.
\nMicrosoft and its partners have said little publicly about the major initiative, but everyone involved appears to recognize how hard it will be to rewrite the pathways between Windows and some of its most important tools.
\n\u201cEvery day\u2019s a learning curve,\u201d said Tony Anscombe, the chief security evangelist at ESET, one of the handful of companies working closely with Microsoft on the project. \u201cWe learn something every day.\u201d
\nLessons from the CrowdStrike incident
\nThe Windows kernel is the core of the operating system, the connective tissue between a computer\u2019s hardware and software components. It oversees how much memory applications are using, verifies the configuration of device drivers and deconflicts the work of the computer\u2019s various processes. It can do all of this work because it has total control over everything happening inside the computer.
\nBecause of the powers granted to programs running inside the kernel, security application developers have found it to be a useful environment for their products, which need total visibility and control in order to block cyberattacks.
\n\u201cAs a security vendor, you want to see everything that\u2019s happening on the device,\u201d Anscombe said.
\nThe kernel\u2019s ability to essentially freeze and reset the computer\u2019s regular operating environment becomes a major asset when the computer encounters a problem, whether accidental or malicious. \u201cYour machine doesn\u2019t need to be rebooted,\u201d Anscombe said, \u201cand that\u2019s because the application was running in that other mode, where Windows as the OS, the kernel mode, can shut down the user mode and restart [it] without doing a reboot.\u201d
\nIn addition to visibility and control, the kernel also offers speed and flexibility that greatly benefit security applications.
\nBut the kernel\u2019s immense power also comes with significant responsibility, as a defective kernel process could bring down an entire computer \u2014 or, if deployed widely, an entire network.<\/p>\n

That\u2019s exactly what happened on July 19, 2024, when CrowdStrike deployed a faulty software update to its endpoint detection and response (EDR) product, Falcon. The flawed code forced Windows computers running Falcon to restart endlessly or boot into recovery mode. More than 8 million machines around the world crashed and failed to restart, paralyzing airlines, banks, hospitals, stock markets, government agencies and emergency services. A tiny update to third-party software running in the Windows kernel had caused the largest IT outage in history, leading to billions of dollars in losses, including more than $5 billion for Fortune 500 companies alone.
\n\u201cHad that [Falcon] process been running in user mode, the severity would have probably been very different,\u201d Anscombe said.
\nThe incident highlighted the dangers of running \u2014 and frequently updating \u2014 third-party code in the Windows kernel. Four months after the digital chaos subsided, Microsoft launched the Windows Resiliency Initiative and pledged to work more closely with third-party security vendors on responsible software development and deployment practices. The company said it would require all software updates for security programs to deploy gradually throughout customer organizations \u201cto ensure any negative impact from updates is kept to a minimum.\u201d
\nMicrosoft also said it was \u201cdeveloping new Windows capabilities that will allow security product developers to build their products outside of kernel mode.\u201d
\n\u201cThis change will help security developers provide a high level of security [and] easier recovery,\u201d the company added, \u201cand there will be less impact to Windows in the event of a crash or mistake.\u201d
\nThe CrowdStrike incident validated Microsoft\u2019s longstanding unease about letting third-party developers run code in the Windows kernel, said Pavel Yosifovich, an expert on Windows architecture who trains and consults on the subject. Microsoft built in safeguards against kernel-level software crashes by requiring companies to sign their drivers and meet testing requirements, Yosifovich said, \u201cbut it\u2019s not bulletproof.\u201d
\nWindows API revamp
\nTo coordinate the kernel migration project, Microsoft is using its existing Microsoft Virus Initiative (MVI), a program meant to help security vendors smoothly integrate their products into Windows. As part of the Windows Resiliency Initiative, Microsoft refreshed the MVI, dubbing it \u201cMVI 3.0\u201d and requiring participants to meet new reliability requirements.
\nRoughly 100 security companies are members of the MVI, Anscombe said, but only a dozen or so \u2014 representing \u201ca significant majority of the market share\u201d \u2014 are working hand-in-hand with Microsoft on the kernel changes. Microsoft has publicly identified Bitdefender, CrowdStrike, ESET, SentinelOne, Sophos, Trellix, Trend Micro and WithSecure as part of that group, but otherwise it is keeping the kernel project shrouded in secrecy. Participating companies\u2019 employees must sign nondisclosure agreements, and most of the companies that Cybersecurity Dive contacted declined interview requests for this story.\u00a0
\nMicrosoft itself declined to answer even basic questions about the project, referring Cybersecurity Dive to its executives\u2019 blog posts, which offer few details.<\/p>\n

The kernel project is still in its early stages. Microsoft has asked vendors to inventory all of their products\u2019 features so the company knows what functionality they need preserved during the transition from kernel mode to user mode. The work has been incredibly complicated, both because vendors have had to review decades\u2019 worth of code and because every vendor\u2019s code works slightly differently.
\n\u201cIt really is an unpicking of how all these products work and then unpicking the OS to see if you can provide that functionality in different ways,\u201d Anscombe said. \u201cIt\u2019s a huge, huge task.\u201d
\nThe result is a highly unusual arrangement in the Windows development ecosystem, with Microsoft soliciting feedback from vendors and incorporating it in real time into the application programming interfaces (APIs) that let security products safely hook into Windows\u2019 core components.
\nIt\u2019s \u201can unusual scenario you don\u2019t often get,\u201d Anscombe said. \u201cThis is not somebody developing an API and landing the API on your desk and saying, \u2018Here\u2019s our new API. You need to work with this.\u2019 This is somebody developing an API while you’re developing the things that will work with the API.\u201d
\nHaving seen how challenging the work has been for ESET, Anscombe said, \u201cI wouldn\u2019t want to be on the Microsoft end of this, of getting responses from 50 vendors and suddenly hav[ing] to try and map everybody\u2019s [feedback] to give them all the functionality they need.\u201d
\nDifficult balancing act
\nMicrosoft and its partners will have to overcome serious challenges to make security software work just as well outside the kernel as it does inside it.
\nFor one thing, the kernel affords greater control to software running there. This is particularly important for software designed to protect a system from malicious processes.
\n\u201cWhen a process is created, a kernel driver can be notified, do some analysis, and decide to terminate the process before it does anything,\u201d Yosifovich said. In user mode, software can only receive notifications about a process after the fact. \u201cIf the process is short-lived, and does something malicious,\u201d Yosifovich said, \u201cuser mode may be too slow to do anything about that.\u201d
\nJeff Tang, a Windows security expert and independent consultant, said that in user mode, \u201cyour capabilities are much more limited to monitor the entire system.\u201d
\nYosifovich argued that \u201cit\u2019s almost impossible to run completely outside the kernel without significant reengineering or diminishing the powers for security products.\u201d
\nSecurity programs running in user mode would also be much more vulnerable to tampering. \u201cYour capabilities are on the same level as the thing you\u2019re trying to monitor and\/or stop,\u201d Tang said, \u201cso malware has the same opportunity to stop you from protecting the system\u201d as the security program does to stop the malware.
\nThe problem is far from theoretical. \u201cWe\u2019re already hearing of ransomware EDR killers and all sorts of other things that try and do that,\u201d Anscombe said. \u201cYou need to be able to give security vendors the [reassurance] that their application can\u2019t be manipulated.\u201d
\nIn addition to the risk of tampering, user mode\u2019s distance from the kernel introduces a processing delay. \u201cRunning in user mode is slower when accessing system APIs,\u201d Yosifovich said.
\nThat delay could make or break the customer experience, with potentially serious consequences. \u201cWhat you don\u2019t want to see is a customer turning around and saying, \u2018Well, everything\u2019s a bit slower now. I\u2019m going to start turning things off,\u2019\u201d Anscombe said. \u201cThat\u2019s a degradation of security.\u201d
\nNew API timeline TBD
\nMicrosoft and its vendor partners are taking their time to analyze the challenges they face.
\n\u201cAt the moment, it\u2019s more about how you\u2019d move some of the features and functionality across, using an API in that way,\u201d Anscombe said. \u201cTesting, efficacy, et cetera, is further down the line.\u201d
\nIt remains unclear when Microsoft will publish APIs that vendors can use to build user-mode software, or when that software is ready for testing and deployment. Anscombe declined to discuss the project\u2019s internal timelines, although he said the early work has validated vendors\u2019 skepticism about a fast turnaround.
\n\u201cThis will be ongoing for a long period of time,\u201d Anscombe said. \u201cThere\u2019ll always be some feature that, somewhere, somebody\u2019s got that will be complicated to transition.\u201d
\nMeanwhile, market pressure could drive the migration of security products out of the kernel. If user-mode software proves to be more resilient, widely used publications like the National Institute of Standards and Technology\u2019s Cybersecurity Framework could begin recommending that organizations use such software. Insurers might even offer lower premiums to customers that use those products, especially if they determine that user-mode software lowers the risk of business interruptions that could generate claims.
\nThe most likely outcome, Anscombe said, is a hybrid world, in which some software continues to run in the kernel while other programs run in user mode.
\nSome products might even run in both modes simultaneously, with developers testing and implementing simpler user-mode migrations before tackling the harder components of their code.
\n\u201cThey can coexist in the same technology,\u201d Anscombe said. \u201cIn fact, in theory, they already do.\u201d<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

How Microsoft, partners are tackling \u2018huge, huge task\u2019 of making security software safer https:\/\/www.cybersecuritydive.com\/news\/microsoft-windows-resilience-initiative-security-kernel\/813416\/ Publish…<\/p>\n","protected":false},"author":1,"featured_media":192034,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/KJDLLtViwgeAYUHYP3WzsjBtpFoCZltjbB02ieo44HY\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9NaWNyb3NvZnRfR2V0dHlJbWFnZXMtMTUwOTMxMDM4My5qcGc=.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-192033","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/192033"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=192033"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/192033\/revisions"}],"predecessor-version":[{"id":192035,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/192033\/revisions\/192035"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/192034"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=192033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=192033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=192033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}