Microsoft announced on 1/15/2014 that they would continue to provide signature and engine updates for Microsoft Anti-Malware products running on Windows XP past the April 8, 2014 end-of-support for the OS, through July 14, 2015. For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.
The major anti-malware vendors are also continuing to provide updates on current versions that are running on XP. McAfee’s XP support timelines are similar to Microsoft’s. Symantec has indicated that they will “most likely” provide product updates for current versions (11.x and 12.1) on XP for the foreseeable future.
For those who find Microsoft's announcement puzzling, here is a FAQ list that I hope will help.
Bottom line: is it OK to delay migrating to Windows 7 or 8 now?
Absolutely not. As Microsoft says in their announcement, “Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.” Similarly, Symantec says “It has always been Symantec's stance that proper network and workstation security begins at having the most recent security patches from the OS vendor. Depending on the nature of the threats involved, Windows XP may be susceptible to viruses and risks that more recent iterations of Windows is immune to.”
Does this announcement affect compliance issues around XP?
If your compliance plan for regulations and standards such as HIPAA, GLB, or PCI-DSS requires timely patching of operating systems, then no amount of anti-malware protection will bring XP into compliance after the end of support.
Why doesn’t this make it safe enough to stay on XP?
Signature based anti-malware helps provide defense in depth, but the only effective way to prevent attackers from exploiting vulnerabilities in your system is to patch them. That won’t be possible for XP after April 8. To make matters worse, as new vulnerabilities are found and patched in Windows 7 and 8 it will be even easier to find and exploit those same vulnerabilities if they are in code that was carried forward from XP.
So what does this all mean?
Basically, Microsoft and the anti-malware vendors have collectively decided not to leave XP systems totally unprotected after the end of support, while making clear that the level of protection offered is suboptimal. Certainly all of the anti-malware vendors, including Microsoft, would prefer not to lose their customers over XP support. But to be clear, in a world where the best protection is “belt and suspenders” anti-malware on XP offers you a piece of twine to hold up your trousers. :)
What can I do to protect an XP system that will miss the deadline?
There is nothing you can do to make your out-of-support XP system as safe as a supported system. Some things you can do to protect yourself are include:
- Isolate the system from external threats AND other system as much as possible. You should note that some actors have been remarkably effective at getting malware across air gaps using infected USB keys and CDs (e.g., Stuxnet).
- Harden your systems by adopting conservative security configurations
- Use host-based intrusion prevention software to lock down your system against unauthorized changes.