PatchGuard and Vista x86

[Lorne Smith]

Question... What with all the recent furore over PatchGuard in Vista x64 and
Symantec & McAfee's inability to do what Kapersky and Sapho's do, I found
myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly written
software doesn't need kernel access, and quite frankly, I'd like my 32bit
system to be a bit better protected thank you very much! Symantec and
McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and can
we have it please? Even if it's something we have to switch on...

 

[David J. Craig]

Here is a question for you then. If a file is being opened, not executed,
how can you tell if it contains a virus? If a program is trying to load a
DLL in your address space how can you monitor its actions? How many things
that OneCare does requires internal information about the OS? How can you
do something like RootKitRevealer (now owned by Microsoft) without data not
provided to normal users? True, reverse engineering can help but reverse
engineering is prohibited in most EULAs and we in the US do not have a legal
shield as some in other countries. Being able to see if the registry and
file system are being 'hidden' by another driver is mandatory to provide
rootkit protection.

There are other 'features' that some antivirus and firewall products need or
want to provide to their users that require interfaces not available. If a
DLL or a program is sending or receiving information over the internet how
can it know what information is being transferred and what will happen next?
Also don't forget the products must work on XP, 2003, Vista, and frequently
2000 as well even though the supplied interfaces have changed. How can you
see if a packet coming in is destined for a program that has a vulnerability
to it?

PatchGuard is a good idea. It would be much better if Microsoft was not
trying to 'Netscape' other security vendors. Why does Microsoft no long
have any antivirus tests in DTM? IO stress has also been dropped for
antivirus products. Maybe it was because of antitrust issues, but it also
means that some of the smaller players may have quality issues.

 

[Lorne Smith]

I fail to see how those actions have any bearing on PatchGuards job of
protecting the kernel. MS have provided the interfaces needed for the AV
peopel to do their jobs. Kapersky, Sophos, AVG, NOD32, Avast.. They all
manage to provide AV and protection to the OS, and some of them even have
HIPS functioning. All with pre-existing interfaces which don't try to mess
with the kernel.

I can see no sensible reason why PatchGuard exists in the 64bit edition, but
not in the 32bit edition. This is why I'm asking the question as to why.
At some point, backwards compatibility needs to be either dropped, or
seriously reduced. At least for software that tries to mess with the OS.
Keeping it in just holds progress back. Of course, if MS do that, people
with bleat and complain like schoolkids, but it's MS's software, they should
be able to do what they want with it. They never guaranteed to all these
software vendors that their software would work in future versions, so they
should have to worry if they don't.

 

[David J. Craig]

The other problem is that PatchGuard cannot protect the kernel from other
kernel components. It just can't be done. All it will do is stop the
security software companies that can't get their drivers signed if they do
it. The mistake was not using ring 1 for drivers when NT was developed. Of
course, we not have VM support in hardware and the OS becomes a ring 1
program running under it. It will become viral code that will attack the OS
by becoming a hypervisor. Then nothing the OS or security companies do will
protect your system. You can't stop the system from enabling a hypervisor
if you can't patch the OS and even then it will be just like a lot of viral
detection today in that it will be reactive instead of proactive.
Signatures will be the only solution and even then they are sometimes
defeated, not updated, or don't know about a zero day attack.

The old days of protecting against boot record viral code was much simpler.
It has gotten worse and it will continue to worsen because many of the
current attacks are motivated by money and not just bragging rights. More
and more people are doing financial transactions over the internet than in
the days of DOS and Windows 3.x. I have heard that Kapersky does or has
done a lot of hooking, but I may be wrong. I have never used any of those
you listed, so I can't say for sure.

You didn't answer my question about how much undocumented access does
OneCare use. It also rates rather low on most of the reviews I have seen.

 

[Lorne Smith]

According to MS, OneCare uses the same interfaces they've made available to
all the third party security providers. As to it's capability, yes there
are better products out there... McAfee and Symantec though, are most
definately NOT two of them!

As to your other points, I don't have as deep an understanding of the
internals of kernel level access, and with MS's statement that any
successfull attacks on PatchGuard will result in them releasing updates to
it, that does make things reactive rather than proactive, but the fact
still remains that other security providers are NOT being prevented from
doing their jobs. This is all down to McAfee and Symantec having written
their products in such as way as to make rewriting them to follow the rules,
laid down YEARS ago, financially inconvenient. Well, tough luck!

PatchGuard isn't the be all and end all of security, but it IS a large step
in the direction of a far safer OS. I just want to know why they've seen
fit to protect the 64bit systems, yet leave the 32bit systems less
protected. The same level of protection should be available to both.

 

[David J. Craig]

I would like to know your source for the information about McAfee and
Symantec. I believe that the 32/64 bit problem is that so many programs for
the 32 bit platform do use hooking techniques, including some from
Microsoft, that it is not possible for them to implement PatchGuard without
having their large accounts get upset. Also don't forget that there is a
large amount of software out there that you never see. It may be written
for internal use at a company or has a very narrow target audience but may
be critical to a large company.

 

[Vipin]

Patchgaurd protects the OS from not being infected. Since 64-bit is not
widely adopted as of now, it is easy to adopt this technology in them rather
than on 95% of systems which are 32-bit machines. Many security applications
will simply cease to work had this technology be adopted for 32-bit systems.
Repercursions of that will simply be too tough for Microsoft to handle.