PatchGuard ain't gonna stop Zero-Day attack.

C

Cymbal Man Freq.

http://news.com.com/Why+Microsoft+is+wrong+on+Vista+security/2010-7349_3-6123924.html

Why Microsoft is wrong on Vista security
McAfee Chief Scientist George Heron says a technological dispute could usher in
a new age of insecurity.
By George Heron

Published: October 9, 2006, 10:00 AM PDT

For decades, and in every Windows operating system prior to Vista, Microsoft has
relied on the contributions of third-party security vendors to help keep the
user safe.

These products protected both consumers and corporate users from the ravages of
malware such as viruses, spyware, trojans, worms and, most recently, rootkits.

These security products from independent software vendors even help keep
people's computers safe from Microsoft's own critical software bugs, which
notably have been on the increase in recent years.

Regrettably, Microsoft's own "buffer overflows" and "Internet Explorer exploits"
have now become commonplace in today's lexicon. But again, the security products
from the likes of McAfee, Symantec, Check Point Software Technologies, et al,
have thankfully been available for people to choose in order to keep their
computing experience safe.

Over the years, the users (i.e. you, me, our families and colleagues) have been
able to select the best security solution for them from among any number of
companies providing mature and innovative security products.

This cooperative and relatively safe computing experience is about to change for
the worse in Vista.



Dropping down to the core of the operating system, we see that Microsoft has
implemented PatchGuard as a means of preventing access to kernel services that
classically have been allowed and available in all previous versions of Windows.

In a nutshell, PatchGuard crashes the computer when it detects that specific
internal data structures have been "hooked," which is a common way that
malicious software starts doing its damage.

However, the good advanced features of behavioral detecting and intrusion
protection software also work this way. So by attempting to lock out the bad
guys, PatchGuard is also blocking advanced security features from working, and
the user is much less secure.

A straightforward example of this serious condition would be to consider the
case of a new mass-mailing worm suddenly appearing in the wild. Typically, known
viruses are caught during the delivery process, when the file containing the
virus is scanned for the characteristic signature of the malicious software. If
the bit pattern defining a known virus matches that in the incoming file, the
file will be quarantined or deleted, according to the policy governing this on
the computer.

A new virus, however, will not yet have a signature characteristic, as it has
not yet been studied by the virus research team, so this zero-day attack will
slip past the traditional antivirus checks in the kernel. Then, when the
infected carrier file runs, and the virus ultimately then gets launched, it is
born on the computer and immediately begins doing its dastardly deeds; in the
case of it being a mass mailer, it ravages the e-mail client's address book and
begins sending out tons of e-mails.

The cool part of the story next happens when the security software engages to
stop the virus dead in its tracks. All modern antivirus software contains--in
addition to the basic signature file scanning mentioned earlier--a technique
termed heuristical behavior detection that is designed to stop a zero-day attack
like the mass-mailer worm being described.

The calls being made by the worm into the kernel are studied by means of the
antivirus hooking the APIs (application program interfaces), and it can be
determined from the specific API calls and order/frequency of the calls that a
worm is active in the system. The antivirus then kills the worm by issuing an
Application Terminate call to the kernel, and the user is once again safe.

Of course, some other details are not depicted in this simple example. But the
main point is that this is the way state-of-the-art antivirus operates today--to
first detect the virus signature and in using behavioral techniques to detect
the new, zero-day presence of new outbreaks. And the killer part of this example
is that PatchGuard will prevent this type of behavior-based zero-day detection
from operating.

The standard technique employed by security vendors for years and years--hooking
the APIs and the ability of killing applications--is specifically being blocked.
Further, Microsoft, which has no similar detection technique, is preventing
security vendor antivirus packages from using these advanced features--even
though Microsoft does not have the ability to do this itself.

The net-net is that the user is demonstrably less safe as compared to during the
XP days, when security vendors could use their advanced behavioral features.

I'm not sure how we can end this story on a positive note. With Microsoft's
design of Windows Security Center and PatchGuard, the restrictions on user
choice of security solution, the stifling of innovation being forced upon the
industry and, most of all, the clear and present danger of dramatically reduced
user safety all comes to a head in Vista.

I suppose one can only hope that Microsoft can come to the realization at some
point soon that the simple Vista alterations suggested by the industry must be
taken seriously and implemented.
 
R

Robert Moir

Cymbal Man Freq. wrote:
[snip]
I suppose one can only hope that Microsoft can come to the
realization at some point soon that the simple Vista alterations
suggested by the industry must be taken seriously and implemented.

Right. An AV software person decrying Microsoft making changes to the OS
which will require his AV company to make changes to its software.

No vested interest there!
 
D

Dennis Pack

Robert:
I agree with your answer "No vested interest there!" because I won't
use their software due to their controls. I use Nod32 which doesn't load the
system needlessly. To re-phrase the quote that you left from the original
post is that the big AV companies don't like not being able to control Vista
in the ways that they see fit. Have a great day.

--
Dennis Pack
XP x64, Vista Enterprise x64
Office2007
Robert Moir said:
Cymbal Man Freq. wrote:
[snip]
I suppose one can only hope that Microsoft can come to the
realization at some point soon that the simple Vista alterations
suggested by the industry must be taken seriously and implemented.

Right. An AV software person decrying Microsoft making changes to the OS
which will require his AV company to make changes to its software.

No vested interest there!
 
N

Nina DiBoy

Cymbal said:
http://news.com.com/Why+Microsoft+is+wrong+on+Vista+security/2010-7349_3-6123924.html

Why Microsoft is wrong on Vista security
McAfee Chief Scientist George Heron says a technological dispute could usher in
a new age of insecurity.
By George Heron

Published: October 9, 2006, 10:00 AM PDT

For decades, and in every Windows operating system prior to Vista, Microsoft has
relied on the contributions of third-party security vendors to help keep the
user safe.

These products protected both consumers and corporate users from the ravages of
malware such as viruses, spyware, trojans, worms and, most recently, rootkits.

These security products from independent software vendors even help keep
people's computers safe from Microsoft's own critical software bugs, which
notably have been on the increase in recent years.

Regrettably, Microsoft's own "buffer overflows" and "Internet Explorer exploits"
have now become commonplace in today's lexicon. But again, the security products
from the likes of McAfee, Symantec, Check Point Software Technologies, et al,
have thankfully been available for people to choose in order to keep their
computing experience safe.

Over the years, the users (i.e. you, me, our families and colleagues) have been
able to select the best security solution for them from among any number of
companies providing mature and innovative security products.

This cooperative and relatively safe computing experience is about to change for
the worse in Vista.



Dropping down to the core of the operating system, we see that Microsoft has
implemented PatchGuard as a means of preventing access to kernel services that
classically have been allowed and available in all previous versions of Windows.

In a nutshell, PatchGuard crashes the computer when it detects that specific
internal data structures have been "hooked," which is a common way that
malicious software starts doing its damage.

However, the good advanced features of behavioral detecting and intrusion
protection software also work this way. So by attempting to lock out the bad
guys, PatchGuard is also blocking advanced security features from working, and
the user is much less secure.

A straightforward example of this serious condition would be to consider the
case of a new mass-mailing worm suddenly appearing in the wild. Typically, known
viruses are caught during the delivery process, when the file containing the
virus is scanned for the characteristic signature of the malicious software. If
the bit pattern defining a known virus matches that in the incoming file, the
file will be quarantined or deleted, according to the policy governing this on
the computer.

A new virus, however, will not yet have a signature characteristic, as it has
not yet been studied by the virus research team, so this zero-day attack will
slip past the traditional antivirus checks in the kernel. Then, when the
infected carrier file runs, and the virus ultimately then gets launched, it is
born on the computer and immediately begins doing its dastardly deeds; in the
case of it being a mass mailer, it ravages the e-mail client's address book and
begins sending out tons of e-mails.

The cool part of the story next happens when the security software engages to
stop the virus dead in its tracks. All modern antivirus software contains--in
addition to the basic signature file scanning mentioned earlier--a technique
termed heuristical behavior detection that is designed to stop a zero-day attack
like the mass-mailer worm being described.

The calls being made by the worm into the kernel are studied by means of the
antivirus hooking the APIs (application program interfaces), and it can be
determined from the specific API calls and order/frequency of the calls that a
worm is active in the system. The antivirus then kills the worm by issuing an
Application Terminate call to the kernel, and the user is once again safe.

Of course, some other details are not depicted in this simple example. But the
main point is that this is the way state-of-the-art antivirus operates today--to
first detect the virus signature and in using behavioral techniques to detect
the new, zero-day presence of new outbreaks. And the killer part of this example
is that PatchGuard will prevent this type of behavior-based zero-day detection
from operating.

The standard technique employed by security vendors for years and years--hooking
the APIs and the ability of killing applications--is specifically being blocked.
Further, Microsoft, which has no similar detection technique, is preventing
security vendor antivirus packages from using these advanced features--even
though Microsoft does not have the ability to do this itself.

The net-net is that the user is demonstrably less safe as compared to during the
XP days, when security vendors could use their advanced behavioral features.

I'm not sure how we can end this story on a positive note. With Microsoft's
design of Windows Security Center and PatchGuard, the restrictions on user
choice of security solution, the stifling of innovation being forced upon the
industry and, most of all, the clear and present danger of dramatically reduced
user safety all comes to a head in Vista.

I suppose one can only hope that Microsoft can come to the realization at some
point soon that the simple Vista alterations suggested by the industry must be
taken seriously and implemented.

Here's my favorite parts:

"we see that Microsoft has implemented PatchGuard...

In a nutshell, PatchGuard crashes the computer when it detects that
specific internal data structures have been "hooked," which is a common
way that malicious software starts doing its damage...

by attempting to lock out the bad guys, PatchGuard is also blocking
advanced security features from working, and the user is much less
secure..."

LOL!

--
Priceless quotes in m.p.w.vista.general group:
http://protectfreedom.tripod.com/kick.html

"Good poets borrow; great poets steal."
- T. S. Eliot
 
R

Richard Urban

McAfee has their shorts in a bundle because if patch guard works as
intended, there is less of a need for McAfee.

For years the important people - the end users - have been hounding
Microsoft to harden the operating system. Many have asked for this because
they specifically dislike McAfee and Symantec (man, I know I certainly do).
Now that Microsoft has done this who are the ones complaining? You got it!
McAfee and Symantec.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
 
R

Robert Moir

Richard said:
McAfee has their shorts in a bundle because if patch guard works as
intended, there is less of a need for McAfee.

For years the important people - the end users - have been hounding
Microsoft to harden the operating system. Many have asked for this
because they specifically dislike McAfee and Symantec (man, I know I
certainly do). Now that Microsoft has done this who are the ones
complaining? You got it! McAfee and Symantec.

Yes, plenty of other AV providers just got on with the job, with AVAST
managing to be very responsive despite their best known product being a free
one. Surely if things were as bleak as 'the big two' claimed then everyone
would be struggling, with smaller companies like AVAST struggling the most,
due to having less resources to address the problem with.

Yet that wasn't what happened. How peculiar!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top