Microsoft announced a new feature called Device Guard that prevents unauthorized or malicious code from executing on a Windows system.
Malware and exploits have a distinct advantage: they always get the first move. Traditional antimalware and security tools are reactive and based on detecting and blocking known threats. A threat can't be known, however, until it exists and affects something or someone first. It's a poor model for defense.
Microsoft proposes to change that with Device Guard.
There are already controls in place within Windows that make determinations about whether or not an application can be trusted and should be allowed to execute. The Achilles heel of that approach is that some rootkits and exploits are capable of compromising Windows at the kernel level--below where those decisions are made. That means the malware itself can alter, override, or circumvent those decisions and execute anyway.
