With the hype and marketing around the new security controls built into Windows 8, you'd think that there was nothing left for enterprise admins to do to prevent malware outbreaks. As with user interfaces, there's always room for improvement in security.
Don't take this the wrong way. Windows 8 is Microsoft's most resilient desktop operating system so far. Microsoft shipped Windows 8 with spyware, virus and phishing protection enabled right out of the box via the improved Windows Defender.
Windows 8's updated SmartScreen technology further extends Windows 8 malware defenses by inspecting all files downloaded from the Internet rather than just Internet Explorer usage.
So, do you blindly trust that Microsoft is going to keep systems secure from Windows 8 malware? Are these controls even enterprise-ready? I'd say no to both. Of course, you'll want to consider the integrating Windows 8 protection into your traditional antivirus solutions.
Rather debating which one is best, I recommend visiting IT security institute AV-TEST and reviewing its results to draw your own conclusions based on your unique needs. Although they won't be a good fit for enterprise deployment, there are some high-scoring "free" anti-malware options from vendors such as AVG, Avast and Panda for those lone Windows 8 installations you might have.
But don't assume that doing business as usual -- even with the enhanced Windows 8 malware removal -- is going to cut it. One of the most underrated security technologies is whitelisting offered by vendors such as Bit9 and Lumension.
More on Windows 8 protection and whitelisting
To better secure desktops, IT should answer these malware detection questions
Windows 8 security features leave gaps amid productivity gains
FAQ: How to detect and remove malware and rootkits
Microsoft tightens security in Windows 8, but is it enough for IT?
FAQ: Windows security tips for desktop admins
Whitelisting is a nice complement (not a replacement) to traditional anti-malware protection. Why? Because it focuses on proactive prevention rather than reactive detection. With whitelisting, you'll literally lock down the Windows 8 desktop and control what can and cannot run from the start.
Whitelisting is really the way security was intended: deny everything upfront. Trust but verify. It's as good as, arguably better than, virtual desktop infrastructure systems that boot from a clean image every time.
The thing about a Windows 8 whitelist is that it's not simply plug and play like traditional antivirus systems. It'll need some hand-holding and tweaking over time for Windows 8 systems. If Windows 8.1 (a.k.a. Windows Blue) is on your radar, perhaps you can integrate whitelisting with forthcoming upgrades/new deployments.
Even though Windows 8 has only around 3% of the desktop OS market, you likely have it in your environment touching your systems and data in some capacity. Windows 8 is a slightly different beast, and you need to have security standards for it -- especially for niche systems that may only be using the Modern user interface (formerly known as Metro). These systems may support only certain processors and applications that aren't supported by anti-malware technologies.
Information systems complexity, politics and culture all play into this, so be sure to get others on your side to help make these decisions.
I'm sure Microsoft would like us to think that it will eventually ship an OS with all the protective mechanisms we could ever need, negating any benefits of third-party, anti-malware applications. In an ideal world, a truly secure OS would be expected. But we have this human factor to contend with. Until and unless that changes, we're going to have to keep our guard up for Windows 8 malware.
This was first published in June 2013