The way Microsoft is protecting the operating system kernel in the upcoming 64-bit version of Windows Vista continues to be a sore spot with some vendors who claim it impairs the effectiveness of their intrusion protection and anti-malware products.
The Vista Kernal Patch Protection feature, known as PatchGuard, is intended to prevent people modifying system structures for the purpose of intercepting system calls, says Bruce McCorkendale, a Symantec distinguished engineer. But Symantec, whose host-based intrusion-prevention and anti-malware software works by sometimes using undocumented methods not formally recognised by Microsoft to combat spyware or ward off attacks, says the PatchGuard restrictions in Vista will hamper Symantec’s effectiveness.
“The behaviour-blocking, intrusion-prevention and tamper protection in our products will be somewhat degraded by PatchGuard,” McCorkendale says.
That’s because Symantec’s products have been designed “to use whatever means necessary,” to detect and eradicate malware and block attacks that by their nature also use any means possible to undermine Windows security, he says.
“Sometimes when attackers are doing certain things, we turn to ‘kernel patching’,” McCorkendale says. “This runs afoul of the PatchGuard policy.”
“There are legitimate reasons for protecting the kernel and we are not asking Microsoft to disable PatchGuard,” he says. But he says the security industry would benefit from added APIs for 64-bit Vista that would allow for documented ways to accomplish technical processes such as image-load filtering, memory-management filtering and named-object event filtering to name a few.
“We brought this to the attention of Microsoft 18 months ago,” McCorkendale says. PatchGuard is not a feature in the 32-bit version of Vista, however.
McAfee, a major competitor to Symantec in the traditional antivirus market, wouldn’t define exactly what the impact of PatchGuard feature might have on its line of security products. But it has also been sparring with Microsoft over the issue, and lobbying the Redmond giant for more APIs. In addition, a smaller security vendor, Authentium, says it has found a way to disable PatchGuard, load its own antivirus and anti-spyware software, and turn PatchGuard back on again.
Microsoft says it hasn’t seen direct evidence of Authentium’s hack of PatchGuard yet. But a Microsoft spokesman says fooling around with PatchGuard presents a potential danger to users of 64-bit Vista, which is expected to be available for volume licence in November.
“Microsoft strongly recommends that software vendors not attempt to bypass Kernal Patch Protection,” the spokesman says. “This has the potential for de-stabilising and crashing customer systems, particularly in cases where Kernel Patch Protection is enhanced in updates and updates are delivered to customers.”
To do otherwise is “putting customers at risk,” Microsoft says.
Microsoft says if the PatchGuard mechanism requires a patch, it will be delivered much like another software patch.
Microsoft says it is committed to working with the security industry to identify APIs beyond what is available today that will work with Kernel Patch Protection. But that effort, which will take “several months”, is not expected to reach fruition until Vista Service Pack 1, a formal software update, follows at some unspecified date after 64-bit Vista ships. Symantec thinks this is likely to be a year away at best.
Not all security vendors appear critical of PatchGuard; Sophos is disparaging of its rivals’ complaints. In a statement, Sophos says, “We are building our technology by making use of supported Microsoft interfaces rather than trying to subvert them. That’s why we’re ready for 64-bit Vista but others aren’t.”