Vista's Patch Guard is Killing Next Generation Behavior-Blocking Technologies and Future Security Models

Symantec is once again pointing the finger at Microsoft. Voicing the Cupertino-based Company's concerns over Microsoft's policies implemented in 64-bit Windows Vista is Oliver Friedrichs, director of emerging technologies in Symantec Security Response. "It is the next generation of behavior-blocking technologies and future security models that will be extinguished through these limitations," stated Friedrichs. And by these limitations, Friedrichs means PatchGuard. No more no less.

Symantec is also on the defensive following Microsoft's bleak perspective on the security industry and its position that Vista will make third-party security solutions obsolete. "Some of the arguments that are being put forth in their favor are rather uninformed, exceptionally broad, and disingenuous. They have been presented in such a way as to position security vendors as though we have for decades preyed on the weak and stolen from the poor and with the emergence of Windows Vista, freedom from this tyranny is in sight. The reality is, we offer a real service—protection from real threats that will otherwise result in real losses—and this is by no means a protection racket," stated Friedrichs.

Taking into consideration the evolution of computing, 64-bit machines will become a standard in conjunction with operating systems from Microsoft. And this is an equation that does not rule out security solutions as the development of Windows OneCare Live comes to prove.

"The 64-bit version of Windows Vista introduces PatchGuard. PatchGuard prevents anyone (with the exception of Microsoft) from tampering with, extending, enhancing, and protecting the Windows Vista kernel. It does this by detecting when a driver, or other code running inside the kernel, attempts to add this extended functionality. It monitors key system structures, one in particular being the System Service Dispatch Table (SSDT). When it detects a modification to this table, it results in a blue screen of death (BSOD), with the belief that malicious code may have tampered with the kernel," added Friedrichs.

One of the detrimental aspects of PatchGuard is that it makes no discrimination between legitimate and malicious processes, blocking the whole lot. Friedrichs further claims that PatchGuard is far from being bulletproof and that it has been hacked. This is synonymous with malware having the upper hand over third-party security solutions when it comes to accessing Vista's kernel.

With PatchGuard, Microsoft is blocking both drivers and rootkits that use kernel SSDT hooking, although the capability is also involved as an integer part of legitimate processes extending the operating system's kernel.

"The SSDT allows security vendors to monitor System Services, which are the fundamental functions in Windows that applications need to do their work. There are over 400 System Service calls. Each of these provide a specific function; whether it is to access the registry, access files, add a user to the system, or reboot the computer. By monitoring System Services, security technologies can monitor the behavior of both good and bad applications running on a system," claims Friedrichs.

Friedrichs also calls Microsoft's perspective on security a limited to traditional antivirus and firewall while claiming that Symantec is implementing products leveraging behavior blocking technologies on in excess of 200 million desktops.

"Needless to say, the security industry is very concerned that the decisions being made with 64-bit Windows will, in turn, result in a less secure platform. They will directly impact the development of new security technologies, and Microsoft themselves will lose out, due to an insecure platform. It is the next generation of behavior-blocking technologies and future security models that will be extinguished through these limitations," commented Friedrichs.

Friedrichs also takes a swing at Kaspersky, that has defended Microsoft, for failing to realize the implications of PatchGuard due as well to their limited perspective on the security environment that is based solely on file scanning techniques.

MORE RELATED ARTICLES: Microsoft Details Kernel Patch Protection in Vista Microsoft Opens Vista’s Core Symantec Attacks Windows Vista's Security Features McAfee Aims for Microsoft's Jugular Symantec Predicts Windows Vista to Be a Security Liability Microsoft Increasing Security Risk with Vista McAfee Fires CEO and President Vista-Ready Products for the Holidays from Microsoft's Partners Microsoft Predicts Rapid Adoption of Windows Vista Vista Colors Preview