Thousands of organisations seem hell-bent on sticking withfor the aged OS next year, so inevitably IT departments across the planet are on alert for non-Microsoft support alternatives.
One company that's already thrown its hat into the ring to provide Windows XP support after Microsoft's deadline of 8 April 2014 is Arkoon, working with its north and south America distributor Matrix Global Partners.
Paris-based Arkoon, which is owned by the Cassidian security arm of European defence giant EADS, is offering its ExtendedXP, or EXP, product to organisations that can't or won't make the move away from Windows XP before the end-of-life date.
Matrix Global Partners CEO Bob Foley likens selling the new product, available from October for testing, to selling fallout shelters.
"We're selling a solution to a problem that doesn't exist yet. But we want to let people know there may be an option that can buy them some time," he said.
According to Foley, many of the organisations caught up in the issues created by the Windows XP support deadline have multi-year rollover cycles for upgrading desktops and laptops.
"Unfortunately, this deadline by Microsoft is imposing a new rollover plan that doesn't match their budgets, staffing or timescales. If they know there's an option, then they may be able to readjust their budgets," he said.
Sticking resolutely with XP
Another category of XP-using companies can be found, for example, in retail, but in their case they are staying resolutely with the operating system.
"'We've got XP out in the stores. We're not changing. We have no intention to change. There is no advantage for us having a point-of-sale cash register running Windows 7 or Windows 8. None'. It's running a specific application. There're not in a rollover plan. They're going to keep XP," Foley said.
Arkoon's product, which is based on its StormShield endpoint protection technology, consists of an 8MB security agent that sits on the XP machine.
The IT department also gets a management console with a SQL database to keep track of the nodes and the agents, and access to an external monitoring service that identifies emerging vulnerabilities to the operating system, first released to manufacturers in August 2001.
The monitoring service will employ a variety of resources to spot new vulnerabilities and then apply updates to the XP security template sitting on a company's server.
"It will automatically update all the protected agents and continue with this ongoing protection as long as long as they want to use XP. There's the agent component and then there's the monitoring team that's supporting that," Foley said.
Microsoft info on future flaws
Arkoon has always had a close relationship with Microsoft, according to Foley, but he remains unclear what bearing that will have on its attitude to information about future Windows XP vulnerabilities.
"For this particular area we're not sure yet how much they're going to share with anyone. We're working on the presumption that there will be little sharing by Microsoft because they want people to move. The more information we can gather from them, great," he said.
However, even in the absence of direct information from Microsoft about emerging threats and vulnerabilities, there should be clues elsewhere.
"If we look at a patch Tuesday for Windows 7 in March 2014, we believe that's going also to be an indicator of a potential vulnerability in XP," Foley said.
"So even if they aren't sharing information about XP vulnerabilities, we think we'll see trends that will pop up because of what they're doing in patching the later operating systems," he said.
Alerts and thresholds
Arkoon helps the customer configure and install the software. Movement of logs from the agents up to the management console is monitored by the system, which raises alerts if certain thresholds are breached or certain events occur.
"It isn't an appliance-based product. We're not going to deliver it on a PC but you can virtualise it, stick it in a virtual system, and just let it run and watch for an alert to pop up if there's a violation of some policy you've set, or watch for us to send you a template," Foley said.
He envisages that EXP will be used as one element in a series of defences to protect Windows XP.
"We expect all our customers using XP will have a multi-part security strategy with multiple components that will complement what we're doing. All those things combined without a patch Tuesday are still not going to protect those customers. Those things will help but ours will be the end protection, the last line of defence," he said.
Organisations that opt to pilot EXP from October could be looking at its ease of use and impact on XP performance, Foley suggests. They could also use patches from previous patch Tuesdays to test the software and simulate attacks.
He is optimistic that EXP will help organisations that are sticking with Windows XP but are fearful of its impact on their compliance certification.
"The ultimate test will be one of our clients having an auditor come in after April 2014 and blessing EXP as a compensating control. We've met with a number of consultants in those areas and they tend to believe [EXP] will be a compensating control so we're pretty optimistic about that," Foley said.
The EXP agent will cost about $15 per seat for a one year's subscription for a contract covering a few hundred PCs but discounts apply to larger volumes.
The product is available in three packages: the first covers the operating system, Internet Explorer and Microsoft Office; the second is a web package covering Adobe Flash, Mozilla Firefox and Google Chrome; while the third is for Adobe Reader and Java. Further custom packages can be created.
"If you buy 100, it's $15 per seat. If you 50,000, it would be less. Each of the packages is around $14 and there are discounts if you combine them. If you want the two basic components it would be between $28 and $38 for a subscription," Foley said.
He is keen to make it clear his organisation is not opposed to Windows 7 or Windows 8 or people moving to them.
"But we've all seen the numbers. A significant number of people — is it 500 or 600 million people are going to be using XP after April 2014? It would be nice if they had an option to do so securely," Foley said.