Introduced in 2008, the Microsoft Active Protections Program (MAPP) was created to give antivirus vendors a head start against malware developers. Vendors would get information from Microsoft security bulletins some time before it was shared with the greater public, so that they could be ready to release signatures for vulnerabilities immediately after the bulletins were published every second Tuesday of each month.
“Since the program launched, there has been little external change to how it operates. Internally, we have made slight adjustments to how the program is managed but by and large, it is the same program it was in 2008 and the same program our partners still say is essential to their operations,” says Jerry Bryant, senior security strategist with Microsoft Trustworthy Computing.
But with the release of Microsoft’s latest MSRC Progress Report, the company has announced some considerable changes to MAPP.
By renaming it to MAPP for Security Vendors, they are making it just a part of a larger program which will also include MAPP for Responders and the MAPP Scanner.
MAPP for Security Vendors will be gaining MAPP Validate, a program that will allow some members of the MAPP community to provide feedback on Microsoft’s detection guidance before the final distribution. Also, some trusted vendors will be now getting a three day window instead of the current one-day to come up with a signatures for vulnerabilities, while entry-level MAPP partners will be limited to the latter for the time being.
MAPP for Responders is a new program that will concentrate on threat intelligence. “Arming more defenders against targeted attacks is a key part of our overall strategy,” says Bryant, and the program will employ a “give to get” model, i.e. incident responders will get critical threat intelligence but will be required to share theirs (in a common format – Mitre’s STIX and TAXII specifications). Microsoft will contribute by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance.
Finally, the MAPP Scanner, a cloud-based service that will allow program members to scan suspect Office documents, PDF files, Flash movies, and URLs and see if they are malicious or not.
It will combine static and active analysis, and will test the files in virtual machines running every supported version of Windows and of the application they need to run. By detecting in this way both known vulnerabilities and suspicious activities tied to unknown ones, Microsoft hopes to increase the likelihood of new attacks and attack vectors being discovered.