Security Vendors Get First Draft of PatchGuard APIs

Microsoft today released the first draft of their Patchguard APIs that will allow independent security vendors to get around the new kernel protection of Patchguard. They also released an evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista, and they are wanting feedback on the feedback criteria as well as the Patchguard API by the end of January 2007.

Today’s draft APIs are based on feedback from 26 security vendors and address four major areas, Fathi said. They include APIs for tamper protection, memory-based controls and image-loading operations. Together, the APIs address a majority of the issues raised by third-party security vendors in discussions over the past few months, Fathi said.

“Over the next few weeks, we will work with them to see if there are any changes that are needed,” he said. “Hopefully, everybody will agree this is the right set of APIs and this is what we will deliver in Vista SP1,” he said. Microsoft also plans to continue to work with vendors in gathering requirements from them and delivering new APIs as needed.

At the same time, however, Microsoft has not changed its position regarding third-party access to the Vista kernel, Fathi said. Some vendors have asked the company to consider allowing qualified security vendors to modify the kernel. They point to the fact that they have been allowed to do so with 32-bit versions of Windows and argue that it should be allowed on 64-bit Vista as well. Source: Computerworld

Security vendors still want to be able to manipulate the kernel, like they have been able to do until the release of Patchguard, but Microsoft says it is key to the prevention of malware such as rootkits, if the security vendors can get around it, then so, one day, will some of the malicious programmers. Some of the vendors like Symantec say Microsoft is hindering their abilities to deliver some features of their software and that they need to be able to manipulate the kernel to use host based intrusion-prevention and tamper protections. I say, just do antivirus, I worked on a pc today that had Symantec Security suite installed, which has a firewall, spyware protection, the intrusion detection and loads of stuff running. Even with all of that, it was still ate up with spyware and crap, and after uninstalling it, the system acted like I had reloaded the operating system, it was that much faster. So, Symantec, MacAfee and whoever else that might be listening, just make good antivirus like we are used to, your software slows down our machines more than the spyware and malware does.