Abstract: Embodiments are directed to managing software components loaded on a device by identifying a platform manifest having a valid certificate, confirming that the platform manifest is bound to the device, identifying components listed on the platform manifest, confirming that the listed components have a valid certificate, and loading listed components with valid certificates on the device. The components may be binaries and packages for an operating system. The components may be signed in an embedded manner or with detached signatures. The platform manifest may be bound to the device in a manner that allows for identification of unauthorized platform manifests.

Abstract: Embodiments are directed to managing software components loaded on a device by identifying a platform manifest having a valid certificate, confirming that the platform manifest is bound to the device, identifying components listed on the platform manifest, confirming that the listed components have a valid certificate, and loading listed components with valid certificates on the device. The components may be binaries and packages for an operating system. The components may be signed in an embedded manner or with detached signatures. The platform manifest may be bound to the device in a manner that allows for identification of unauthorized platform manifests.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: Embodiments of the disclosure provide access to data in a compressed container through dynamic redirection, without storing decompressed data in persistent memory. The compressed container is stored in a first portion of memory. User data and reference files, with redirect pointers, for accessing corresponding files in the compressed container are stored in a second portion of memory. A command to access data is detected by a computing device. The redirect pointer in the reference file associated with the command redirects access to the corresponding compressed version of data stored in the compressed container. The corresponding accessed compressed version of data is decompressed on the fly and provided in response to the command without storing the decompressed data in persistent memory. Some embodiments provide integrity protection to validate the data coming from the compressed container.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificates which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware driver is signed using a hash that identifies a manufacturer of the anti-malware driver. The anti-malware driver is then provided to a computing device. The anti-malware driver may be assigned a protection level based on an agreement between the anti-malware manufacturer and an operating system manufacturer, and this protection level effects the operation of the anti-malware program on the computing device.

Abstract: Embodiments of the disclosure provide access to data in a compressed container through dynamic redirection, without storing decompressed data in persistent memory. The compressed container is stored in a first portion of memory. User data and reference files, with redirect pointers, for accessing corresponding files in the compressed container are stored in a second portion of memory. A command to access data is detected by a computing device. The redirect pointer in the reference file associated with the command redirects access to the corresponding compressed version of data stored in the compressed container. The corresponding accessed compressed version of data is decompressed on the fly and provided in response to the command without storing the decompressed data in persistent memory. Some embodiments provide integrity protection to validate the data coming from the compressed container.

Abstract: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificates which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware driver is signed using a hash that identifies a manufacturer of the anti-malware driver. The anti-malware driver is then provided to a computing device. The anti-malware driver may be assigned a protection level based on an agreement between the anti-malware manufacturer and an operating system manufacturer, and this protection level effects the operation of the anti-malware program on the computing device.

Abstract: Techniques for providing access rights to different portions of a software application to one or more authorized users are described herein. An issuance license may be inserted into the software application that divides the software application into one or more portions and identifies, for each portion, one or more users that are authorized access to the portion. Each portion of the software application may then be encrypted using, for example, a different cryptographic key. When the software is executed, an end user license may then be requested that corresponds to a particular user and that entitles the particular user access to each portion of the software application that the issuance license identifies the particular user as being authorized to access. The end user license may then be used to decrypt each portion of the software application that the issuance license identifies the particular end user as being authorized to access.

Abstract: An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

Abstract: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.

Abstract: A Trusted Platform Module (TPM) can be utilized to provide hardware-based protection of cryptographic information utilized within a virtual computing environment. A virtualized cryptographic service can interface with the virtual environment and enumerate a set of keys that encryption mechanisms within the virtual environment can utilize to protect their keys. The keys provided by the virtualized cryptographic service can be further protected by the TPM-specific keys of the TPM on the computing device hosting the virtual environment. Access to the protected data within the virtual environment can, thereby, only be granted if the virtualized cryptographic service's keys have been protected by the TPM-specific keys of the TPM on the computing device that is currently hosting the virtual environment. The virtualized cryptographic service's keys can be protected by TPM-specific keys of TPMs on selected computing devices to enable the virtual environment to be hosted by other computing devices.

Abstract: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

Abstract: An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.