That's a small acquisition by the numbers : Komoku only has nine employees, including its own founder. But the later being an ex-computer scientist for the US National Security Agency, and the company having been funded by DARPA (the US body that got Internet started), the Department of Homeland Security and the US Navy, might explain Redmond's interest.

Komoku specialized in anti-rootkit solutions, with a software and a hardware product. The later, named CoPilot, is a PCI card. It can monitor a system independently from the outside, safe from any disruption by a malicious code. The card has its own operating system & CPU, and it can access the system's inputs/outputs and its shared memory. That's how it can track down system modifications, even the stealthy ones made by a rootkit.

Microsoft seems however more interested by Komoku's software product, called Gamma. It will be integrated to Microsoft Live OneCare and Forefront. Those indeed lack a good and easy-to-use anti-rootkit capability, even though Microsoft bought Sysinternal in 2006, and its Rootkit Revealer tool.

Komoku will not exist anymore following this buyout. Its nine employees will be hired by Microsoft's Security & Access division while Gamma will be integrated to the current antivirus lineup. Nothing is said about CoPilot, however, even though it was Komoku's main product (the software version being said to be less effective by its own founder). Not a word either about the deal with Symantec : Komoku only taking care of spotting the rootkits, it had a deal with Symantec to take care of their removal. Microsoft will now probably step forward in that department, of course.

Windows rootkits, a well-known threat

Windows rootkits are not foreign to Microsoft. As early as 2004 the giant took the matter seriously and started specific research works through Microsoft Research. It led to the Strider GhostBuster project, a set of APIs designed to analyze the file system looking for the kind of disparities an hidden rootkit would make. The project also led to a study considered "intelligent and serious" by ITsec guru Bruce Schneier. But Microsoft admitted at that time that Windows rootkits were such a complex threat that formating the system often was the only way to get rid of them. Hence the need for a good solution against them, which it did not have.

"Strider Ghostbuster is a research work from Microsoft Research, and as such it did not make it into a product yet. Komoku's acquisition on the other hand brings us a capable anti-rootkit that we can integrate to our product line right away", explains Bernard Ourghanlian, chief technology & security officer at Microsoft. And that's a welcome addition in a time when most major antivirus vendors already have their anti-rootkit.

Besides, the two approaches can work together well : Komoku excels in tracking down rootkits in memory but does not care about what's going on within the file system. While Strider Ghostbuster actually only looks at the file system.

Virtualisation changes everything

Komoku's hardware solution reminds VMware's own (and virtual) VMsafe : it allows for a privileged watchtower outside the system to control. The CoPilot PCI card actually gives to physical servers what VMsafe brings to virtualized servers. And that seems to be the only effective solution against rootkits.

Nevertheless, that's only the software solution Microsoft is after in buying Komoku. One could wonder if a software-only solution deployed within the system to protect is a good approach. For sure, Gamma will play its role on the desktop. But it will probably be en entirely different story on the servers.

Because for virtualized servers, while Microsoft does not support VMsafe, it has its own plans to offer them an "out-of-system" protection, which would limit the interest in a software-only solution deployed within the guest systems. "We'll use the TPM module to store in the hardware a hash for each virtual server. The hypervisor will then be able to check the integrity of every virtual server about to be started", explains Bernard Ourghanlian.

Now with Komoku's acquisition - and if it decides to keep the CoPilot card - Microsoft will be in a position to offer the same level of trust to physical servers, negating again the need for a software-only solution.

Right now, however, nothing is said about Microsoft keeping Komoku's hardware solution. Only Gamma seems to have a future at Redmond, both on the desktop and on the servers.