More on Windows Vista Security

I have been reading quotes online of developers from Symantec and McAfee complaining about the new security features of Windows Vista, specifically Patchguard, which, essentially crashes the computer when it detects that specific data structures have been hooked. All he noise coming from these security vendors just sounds like sour grapes to me, if Microsoft has found a way to make Windows more secure, then they should find a way to work with it. I know this is a big cash cow for McAfee, Symantec and others, but I think they are the only ones who are worried about it are them, I want a more secure OS because users don’t have a clue and don’t care to learn.

This is from a “perspective” post on News.com by George Heron, Chief Scientist at McAfee,

For decades, and in every Windows operating system prior to Vista, Microsoft has relied on the contributions of third-party security vendors to help keep the user safe.

These security products from independent software vendors even help keep people’s computers safe from Microsoft’s own critical software bugs, which notably have been on the increase in recent years.

This cooperative and relatively safe computing experience is about to change for the worse in Vista.

I’m not sure how we can end this story on a positive note. Dropping down to the core of the operating system, we see that Microsoft has implemented PatchGuard as a means of preventing access to kernel services that classically have been allowed and available in all previous versions of Windows. Source: News.com

Wonder what kind of strings you have to pull to get a post like that on News.com? Totally self serving, please don’t change the way we do business, don’t make us change the way our software works, etc. If they don’t change it now, they won’t be able to help the problem, and the main problem, as we all know is the OS. If Microsoft helps prevent some malware, viruses, rootkits, etc, who loses? The outside security companies like McAfee lose. In a recent post here, I referenced an article that said the number one software program at slowing down Windows was Norton Internet Security 2006 and in the top five was McAfee SecurityCentre. His conclusion was,

Well it’s clear to see what sort of application has most effect on Windows. Antivirus programs tether the performance of your computer alongside that of one three years its elder. If you really need an antivirus system, make sure you follow these benchmarks but also make sure you check how good the one you’re looking at really is. Nod32 gets good security reviews and seems to leave the system fairly nippy

The new version of Norton has shocked me a little. Every year since their Norton Antivirus 2002, they’ve added more and more “bloat”. They call them features, and looking at the box, you’d agree. Features have traditionally come at a price though. If you’re scanning more things, it’s going to take it more time. NIS2007 seems to do all the work of 2006 but with significantly less load on the FileIO. I’m not shouting “go out and buy it” because of the massive boot delay and there are still better products. Source: ThePCSpy

So, we are supposed to feel bad for Symantec and McAfee even with all of the extra bloat they add to a system? One of the first things I try when having a software problem is to check the anti-virus and see if it is the problem and a lot of times it is.

Here are some quotes from a Microsoft blog post called An Introduction to Kernel Patch Protection or what everyone has been referring to as Patchguard. Definitely a recommended read with info straight from Microsoft.

Hello, I’m Scott Field, an Architect working on Windows Kernel Security. There have been a lot of questions recently about a Windows technology called Kernel Patch Protection (sometimes referred to as PatchGuard) so I wanted to provide some context about the feature to help answer them. OS kernel design is a very specialized area of computer science that rarely receives a lot of public attention, so it’s understandable that there are a lot of questions out there. The purpose of this post is to give a basic primer on Kernel Patch Protection and why it is an important technology to increase the security and reliability of Windows-based PCs.

“Kernel patching” or “kernel hooking” is the practice of using unsupported mechanisms to modify or replace kernel code. Patching fundamentally violates the integrity of the Windows kernel and is undocumented, unsupported and has always been discouraged by Microsoft. Kernel patching can result in unpredictable behavior, system instability and performance problems like the Blue Screen of Death?which can lead to lost user productivity and data. More importantly, kernel patching has increasingly become a mechanism used by malware developers to attack Windows systems.

Kernel Patch Protection monitors if key resources used by the kernel or kernel code itself has been modified. If the operating system detects an unauthorized patch of certain data structures or code it will initiate a shut down of the system.

We have also been asked to provide a supported way for ‘known good’ vendors to continue hooking the kernel but prevent others from doing so. Unfortunately, there is no reliable mechanism for us to distinguish between ‘known good’ software and malicious software. Moreover, we cannot prevent a malicious software author from “bundling” purportedly good software in an attempt to thwart the system.

Since Microsoft announced our Trustworthy Computing initiative, helping to ensure the security of our customers has been one of our primary goals as an organization. Part of this is ensuring a rich ecosystem of powerful security products that will reduce the threats from malware and other types of attack. We would not develop a technology designed to lessen the security of our customers or weaken the security of the Windows platform.

Why would they block security companies? If it was the only way to block some of the malware being released today. McAfee, figure it out, Microsoft will help you if you need it.