Sophos Takes Microsoft's Side In Vista PatchGuard Spat

kernel 64-bit

"With the amount of time and effort [spent] adjudicating this publicly, they could have made more progress if they had worked with Microsoft," said Ron O'Brien, a Sophos senior security analyst.

The company's chief technology officer, Richard Jacobs, was even more blunt. "Symantec and McAfee may be struggling with HIPS [host intrusion prevention system] because they haven't coded their solutions with 64-bit Vista in mind," said Jacobs in a statement Monday. "We've taken a different approach to HIPS, by focusing more on catching bad behavior by analyzing code before it executes."

The rancorous exchange amongst Microsoft, Symantec, and McAfee revolves around the former's decision to wall off the kernel in 64-bit Vista. Dubbed "PatchGuard," the technology is designed to stop malicious code such as stealthy rootkits from making changes at the kernel level. Symantec and McAfee, however, went public with objections to PatchGuard, charging that by blocking "kernel hooking" -- intercepting Windows' system calls and modifying the kernel dispatch table -- Microsoft was making it impossible for them to implement advanced security techniques, notably HIPS.

Sophos, said O'Brien, has been able to implement its version of HIPS without kernel hooking. "The method we use does not require access to the kernel. We call it 'genotyping.'" By O'Brien's definition, genotyping scans the file before it executes, looks at the code inside the file to see if it has "potential malicious intent," then blocks the file from executing if a "preponderance of evidence" suggests the file is malicious.

Sponsored post

While Sophos dubs that technique and technology a host-based intrusion prevention system, Symantec and McAfee might disagree. Those companies' current products -- which access the 32-bit kernel in Windows XP and will in Vista -- monitor system calls to the kernel as well as changes to the kernel's dispatch table to determine if a file may be malicious. To offer the same kind of protection, Symantec and McAfee have argued, they need access to the inner workings of the 64-bit Vista kernel as well.

"We do have a different opinion about what HIPS means," O'Brien acknowledged.

Still, Sophos is convinced that additional security can be provided to 64-bit Vista without accessing the kernel. After stepping up its efforts over the past several weeks, Sophos has been able to genotype an increasingly large number of viruses and other malware. "We've improved on our ability to identify both known and unknown threats," said O'Brien, who characterized the response from customers as "good." But like Symantec, McAfee, and most other security vendors, Sophos will participate in the development of the APIs (Application Programming Interfaces) that Microsoft has vowed to create. "The availability of APIs is going to be important as we go forward [with Vista]," said O'Brien. "We need to be in on the dialog with Microsoft."

Last week, Microsoft held opening discussions with security companies about the Vista APIs, the beginning of a process that may, said research firm Gartner, take years.

"We'll be ready for Vista," promised O'Brien, something competitors including Symantec and McAfee have said will be impossible given the no-access rule of the operating system's 64-bit edition.

"There are a number of issues unrelated to securing the kernel that are being avoided by having this public debate," said O'Brien of the Symantec-McAfee complaints. "I think they see their share of the consumer market at risk."

Windows Vista 32-bit and 64-bit are to ship on new computers and at retail in January 2007.