Posts Tagged ‘PatchGuard’

Security Vendors Get First Draft of PatchGuard APIs

Microsoft today released the first draft of their Patchguard APIs that will allow independent security vendors to get around the new kernel protection of Patchguard. They also released an evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista, and they are wanting feedback on the feedback criteria as well as the Patchguard API by the end of January 2007.

Today’s draft APIs are based on feedback from 26 security vendors and address four major areas, Fathi said. They include APIs for tamper protection, memory-based controls and image-loading operations. Together, the APIs address a majority of the issues raised by third-party security vendors in discussions over the past few months, Fathi said.

“Over the next few weeks, we will work with them to see if there are any changes that are needed,” he said. “Hopefully, everybody will agree this is the right set of APIs and this is what we will deliver in Vista SP1,” he said. Microsoft also plans to continue to work with vendors in gathering requirements from them and delivering new APIs as needed.

At the same time, however, Microsoft has not changed its position regarding third-party access to the Vista kernel, Fathi said. Some vendors have asked the company to consider allowing qualified security vendors to modify the kernel. They point to the fact that they have been allowed to do so with 32-bit versions of Windows and argue that it should be allowed on 64-bit Vista as well. Source: Computerworld

Security vendors still want to be able to manipulate the kernel, like they have been able to do until the release of Patchguard, but Microsoft says it is key to the prevention of malware such as rootkits, if the security vendors can get around it, then so, one day, will some of the malicious programmers. Some of the vendors like Symantec say Microsoft is hindering their abilities to deliver some features of their software and that they need to be able to manipulate the kernel to use host based intrusion-prevention and tamper protections. I say, just do antivirus, I worked on a pc today that had Symantec Security suite installed, which has a firewall, spyware protection, the intrusion detection and loads of stuff running. Even with all of that, it was still ate up with spyware and crap, and after uninstalling it, the system acted like I had reloaded the operating system, it was that much faster. So, Symantec, MacAfee and whoever else that might be listening, just make good antivirus like we are used to, your software slows down our machines more than the spyware and malware does.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - December 20, 2006 at 5:08 am

Categories: Malware, Security, Virus Info   Tags: , ,

Microsoft Patches PatchGuard Hack

Microsoft is definitely not happy that a security software vendor has bypassed the kernel protection software in Windows Vista, PatchGuard, and said that it would not be wise to continue because Microsoft will close any flaws discovered, making any software dependent on it, obsolete, and this, says Microsoft, could make users of such software unprotected and dealing with more problems because of such attempted access. Sounds like they are trying to draw a line in the sand.

“Microsoft is aware of public reports of ways to subvert the kernel in Windows Vista and has addressed them in current builds; however, we have not received any other reports of ways to subvert the kernel in existing builds of Vista,” said Adrien Robinson, director of Microsoft’s Security Technology Unit.

“If a vulnerability is discovered in Kernel Patch Protection, Microsoft will issue a security update as part of the standard Microsoft Security Response Center process.” Source: eWeek

Security vendors have been beating up this topic for a long time now, and Microsoft recently agreed to provide APIs that they could use to access the kernel, but the security vendors are worried about the timeliness of receiving the APIs. Authentium’s work around was to take advantage of part of the kernel that allowed the os to support older hardware. This is NOT the last we’ll hear about this subject.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 28, 2006 at 5:01 am

Categories: Ramblings, Windows Vista   Tags: , ,

Authentium Circumvents the PatchGuard Kernel Protection

I’ve posted before about how security companies are up in arms about the new Windows PatchGuard protection from Microsoft that can block any application from accessing, or “hooking” Vista’s kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits. Authentium says they have circumvented this feature using a loophole that allowed the operating system to support older hardware.

The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.

When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsoft’s Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.

Authentium said its workaround allows it to access the kernel without incurring the shut-down.

The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company’s tools to infiltrate Vista’s kernel hooking driver, and get out, without the OS knowing the difference. Source: eWeek

Looks of good reading there, including more info on PatchGuard and links to other articles where security companies have taken Microsoft to task over it. One industry insider says he thinks McAfee and Symantec have already done this themselves, but are keeping the heat on for a different reason,

At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsoft’s continued push into their territory.

Which makes sense, they have to protect their bread and butter. Alex Eckelberry from Sunbelt has posted a few articles on PatchGuard, but the one he posted today actually made a lot more sense than the other complaints I have seen from Symantec,

The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.

PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.

The ability of security companies to fully support the 64 bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won?t even be available until 2008!

HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it?s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.

McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it?s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.

Now, every other article I have read on PatchGuard and these security companies, and I could have missed a bunch I am sure, has just pretty much been whining about how Microsoft won’t allow use access to the kernel, this is the first good explanation of why they need this access. If some new threat, remember Code Red, comes out that requires access to the kernel to prevent it, then these security companies will have to ask Microsoft for an API to the kernel, where, before they could have just added the extra functionality. And we all know how long it takes Microsoft to issue patches, what will they do if a new threat comes out, will they help security vendors fix it, or will they try to fix it themselves?

1 comment - What do you think?  Posted by Jimmy Daniels - October 25, 2006 at 3:50 pm

Categories: Microsoft News, Security, Software, Virus Info   Tags: , , , , , , ,

More on Windows Vista Security

I have been reading quotes online of developers from Symantec and McAfee complaining about the new security features of Windows Vista, specifically Patchguard, which, essentially crashes the computer when it detects that specific data structures have been hooked. All he noise coming from these security vendors just sounds like sour grapes to me, if Microsoft has found a way to make Windows more secure, then they should find a way to work with it. I know this is a big cash cow for McAfee, Symantec and others, but I think they are the only ones who are worried about it are them, I want a more secure OS because users don’t have a clue and don’t care to learn.

This is from a “perspective” post on by George Heron, Chief Scientist at McAfee,

For decades, and in every Windows operating system prior to Vista, Microsoft has relied on the contributions of third-party security vendors to help keep the user safe.

These security products from independent software vendors even help keep people’s computers safe from Microsoft’s own critical software bugs, which notably have been on the increase in recent years.

This cooperative and relatively safe computing experience is about to change for the worse in Vista.

I’m not sure how we can end this story on a positive note. Dropping down to the core of the operating system, we see that Microsoft has implemented PatchGuard as a means of preventing access to kernel services that classically have been allowed and available in all previous versions of Windows. Source:

Wonder what kind of strings you have to pull to get a post like that on Totally self serving, please don’t change the way we do business, don’t make us change the way our software works, etc. If they don’t change it now, they won’t be able to help the problem, and the main problem, as we all know is the OS. If Microsoft helps prevent some malware, viruses, rootkits, etc, who loses? The outside security companies like McAfee lose. In a recent post here, I referenced an article that said the number one software program at slowing down Windows was Norton Internet Security 2006 and in the top five was McAfee SecurityCentre. His conclusion was,

Well it’s clear to see what sort of application has most effect on Windows. Antivirus programs tether the performance of your computer alongside that of one three years its elder. If you really need an antivirus system, make sure you follow these benchmarks but also make sure you check how good the one you’re looking at really is. Nod32 gets good security reviews and seems to leave the system fairly nippy

The new version of Norton has shocked me a little. Every year since their Norton Antivirus 2002, they’ve added more and more “bloat”. They call them features, and looking at the box, you’d agree. Features have traditionally come at a price though. If you’re scanning more things, it’s going to take it more time. NIS2007 seems to do all the work of 2006 but with significantly less load on the FileIO. I’m not shouting “go out and buy it” because of the massive boot delay and there are still better products. Source: ThePCSpy

So, we are supposed to feel bad for Symantec and McAfee even with all of the extra bloat they add to a system? One of the first things I try when having a software problem is to check the anti-virus and see if it is the problem and a lot of times it is.

Here are some quotes from a Microsoft blog post called An Introduction to Kernel Patch Protection or what everyone has been referring to as Patchguard. Definitely a recommended read with info straight from Microsoft.

Hello, I’m Scott Field, an Architect working on Windows Kernel Security. There have been a lot of questions recently about a Windows technology called Kernel Patch Protection (sometimes referred to as PatchGuard) so I wanted to provide some context about the feature to help answer them. OS kernel design is a very specialized area of computer science that rarely receives a lot of public attention, so it’s understandable that there are a lot of questions out there. The purpose of this post is to give a basic primer on Kernel Patch Protection and why it is an important technology to increase the security and reliability of Windows-based PCs.

“Kernel patching” or “kernel hooking” is the practice of using unsupported mechanisms to modify or replace kernel code. Patching fundamentally violates the integrity of the Windows kernel and is undocumented, unsupported and has always been discouraged by Microsoft. Kernel patching can result in unpredictable behavior, system instability and performance problems like the Blue Screen of Death?which can lead to lost user productivity and data. More importantly, kernel patching has increasingly become a mechanism used by malware developers to attack Windows systems.

Kernel Patch Protection monitors if key resources used by the kernel or kernel code itself has been modified. If the operating system detects an unauthorized patch of certain data structures or code it will initiate a shut down of the system.

We have also been asked to provide a supported way for ‘known good’ vendors to continue hooking the kernel but prevent others from doing so. Unfortunately, there is no reliable mechanism for us to distinguish between ‘known good’ software and malicious software. Moreover, we cannot prevent a malicious software author from “bundling” purportedly good software in an attempt to thwart the system.

Since Microsoft announced our Trustworthy Computing initiative, helping to ensure the security of our customers has been one of our primary goals as an organization. Part of this is ensuring a rich ecosystem of powerful security products that will reduce the threats from malware and other types of attack. We would not develop a technology designed to lessen the security of our customers or weaken the security of the Windows platform.

Why would they block security companies? If it was the only way to block some of the malware being released today. McAfee, figure it out, Microsoft will help you if you need it.

1 comment - What do you think?  Posted by Jimmy Daniels - October 12, 2006 at 1:06 pm

Categories: Security, Windows Vista   Tags: , , ,