An examination of Microsoft’s Customer License Agreement (CLA) for embedded systems indicates that there is no provision for a vendor to ship appliances with multiple virtual instances of Windows, or its popular Office productivity suite. In fact shipping Windows in a virtualized environment is expressly prohibited.
From the CLA:
(2b3) “Company may distribute more than one Product (or copies of the same Product) on the same Embedded System, but only if all configurations of the Embedded System containing such Products (individually or in combination) comply with the terms of this Agreement and ATs.
And from a document of those “ATs” titled: ADDITIONAL TERMS FOR RUNTIMES FOR OEM EMBEDDED DESKTOP OPERATING SYSTEMS PRODUCTS
Company may not install this Product in any virtual (or otherwise emulated) hardware system. Unless otherwise provided in these ATs and except for use of the VHD Boot feature in Windows 7 Ultimate for Embedded Systems and Windows Embedded 8 Pro, Company’s license excludes rights 1) to use any virtual machine software that is part of the Product, or 2) to create or use files in the VHD file format supported by this Product.”
As attackers have become more sophisticated they have concentrated on creating malware that avoids detection by endpoint anti-virus, leaving the enterprise exposed.
Sandboxing technology involves executing an attacker’s payload in a virtual (or sometimes emulated) instance, usually Windows because it is the most highly targeted, and examining its actions for malicious intent.
Once advanced malware is detected it can be quarantined. In addition, key indicators are extracted from the malware such as file names and the IP addresses it attempts to call back to. These Key Indicators of Compromise are then used in security analytics solutions to detect activity by the attackers elsewhere on the network.
FireEye, the advanced malware protection vendor that was the first to market with a virtual sandbox using up to ten instances of Windows XP, appears at least initially, to have neglected to resolve the licensing issues with Microsoft before going to market. FireEye’s Web MPS 7.1.0 Operators Guide even pushes licensing responsibility on to its customers, stating in part:
THIRD PARTY SOFTWARE IS (IN ADDITION TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, SUBJECT TO AND GOVERNED BY (AND LICENSEE AGREES TO AND WILL INDEMNIFY FIREEYE FOR NONCOMPLIANCE WITH) THE RESPECTIVE LICENSES FOR SUCH THIRD PARTY SOFTWARE.
A FireEye document titled “The FireEye Difference” lists the software installed on FireEye guest images. In addition to Windows the list includes Microsoft Word, Excel, and PowerPoint; products that Microsoft also limits the distribution of in embedded systems. When asked, FireEye chose not to provide comment on this issue.
Other vendors are selling sandbox appliances that host multiple instances of Windows and other Microsoft applications.
Palo Alto Network’s sandbox, WildFire, is a high-end hardware appliance. According to its documentation WildFire contains Windows XP and the full Microsoft Office suite. An update announcement from Palo Alto Networks states:
Expanded Sandbox Operating Systems—Microsoft Windows 7 32/bit has been added to the WildFire environment. When a file is analyzed by WlidFire, it will be run in both Windows XP and Windows 7. On a WF-500 WildFire appliance, you will need to select an image that will contain Windows XP or Windows 7 as well as a combination of other applications, such as different versions of Adobe Reader, and MS Office.
Other vendors, such as Trend Micro, which ships a sandbox called Deep Discovery Inspector, encountered the Microsoft licensing issue early on and designed their product in such a way that the end user installs their own licensing for Microsoft products, often the standard corporate image. Trend Micro reports that only in the last three months have they been able to help Microsoft create a new licensing regime that recognizes the need for running desktop software in a virtualized sandbox.
Fortinet, a vendor of primarily gateway security appliances, told securitycurrent that they delayed the introduction of their FortiSandbox product when they noticed (and Microsoft confirmed) this issue with Microsoft’s CLA. They eventually resolved the issue for Microsoft Windows and launched the FortiSandbox product in February.
Check Point Software’s datasheet for its Threat Emulation Private Cloud Appliances also lists Microsoft Office products Word, Excel and PowerPoint. Check Point too has worked with Microsoft to ensure that they are authorized to ship Windows in their sandbox products.
The licensing agreements Fortinet and Trend Micro reached with Microsoft will likely become the template for the other vendors once they address this issue. However, there apparently is still no agreement that permits the distribution of virtualized embedded instances of products other than Windows (e.g., Office suite or products).
It appears that FireEye and Palo Alto Networks, have taken short cuts in getting their virtual Windows based appliances to market.
This is most likely an issue that will be resolved in due course after Microsoft adjusts to a market reality they did not foresee: that security vendors would need to host multiple versions of their desktop operating systems inside Linux based appliances. Specifically, these vendors will need to reach a similar agreement with Microsoft. And even then, Microsoft Office will have to be removed from these sandboxes unless yet another CLA amendment can be agreed upon. But in the meantime these vendors are most likely in violation of their existing license agreement with Microsoft.