Microsoft Releases Vista Kernel APIs To Rival Security Firms

The application programming interfaces are meant to give security software makers access to information heading into the Vista kernel so that they can create software similar to what they now write for Windows XP and Vista 32-bit. That software often "hooks" into the kernel to monitor behavior that could indicate that malicious code is trying to hijack the computer.

"We are delivering the first draft set of these new APIs for Windows Vista [which] have been designed to help security and non-security ISVs [independent software vendors] develop software that extends the functionality of the Windows kernel on 64-bit systems, in a documented and supported manner, and without disabling or weakening the protection offered by Kernel Patch Protection," said Ben Fathi, Microsoft's Windows security chief, in a statement.

Kernel Patch Protection is the name Microsoft has given to a set of technologies first implemented in Windows XP 64-bit, and extended in the 64-bit version of Vista. Also known as PatchGuard, it locks out all access to the operating system kernel, and is meant to stop both malicious code and third-party software from making changes at the kernel level. Microsoft has repeatedly touted PatchGuard as an important defense against rootkits and other advanced malware.

But several prominent security vendors, notably Symantec and McAfee, objected to PatchGuard this fall, called Microsoft's decision wrong-headed, and rebuffed its claim that APIs would solve their problems.

Sponsored post

Wednesday, Symantec refused to comment on the draft APIs. "Symantec has received the draft APIs regarding PatchGuard and is currently evaluating the information and awaiting additional information from Microsoft," Symantec spokesman Mike Bradshaw wrote in an e-mail. "Until that process is complete, we have nothing to add to the story." McAfee did not reply to a similar request for comment.

Under pressure from the European Union's antitrust watchdog, Microsoft in mid-October promised to design and deliver APIs that would let others access data going to the kernel. Although some analysts praised the move as an "acceptable compromise" between Microsoft and its security partners, vendors soon scoffed at the idea.

"It's not enough," Rowan Trollope, Symantec's VP of consumer engineering, said at the time.

Fathi said Microsoft recognizes that the job isn't over. "I want to emphasize that [these APIs] are not final," he said. "In the next several weeks, we'll continue gathering input about the draft specifications from ISVs and other security experts."

He also confirmed earlier reports that Microsoft plans to release the first set of these APIs in Vista Service Pack 1, the future update that has been pegged with several possible release dates, ranging from mid-2007 to late next year. "Early test versions [of the APIs] will be made available to ISVs so they can update and test their software in time for release along with Service Pack 1," Fathi added.

The draft APIs include ones that govern whether applications are allowed to launch or be manipulated, and others that will prevent tampering with running security processes.

Microsoft has also posted a Word document that outlines the criteria it uses to evaluate and prioritize the kinds of APIs it will develop.