The Vista Kernal Patch Protection feature, known as PatchGuard, is intended by Microsoft to prevent modifying system structures for purpose of intercepting system calls, said Bruce McCorkendale, Symantec's distinguished engineer. But at Symantec, whose host-based intrusion-prevention and antimalware software works by sometimes using undocumented methods not formally recognized by Microsoft to combat spyware or ward off attacks, the PatchGuard restrictions in Vista will hamper Symantec's effectiveness.
"The behavior blocking, intrusion prevention and tamper protection in our products today will be somewhat degraded by PatchGuard," McCorkendale says. That's because Symantec products have been designed "to use whatever means necessary," he pointed out, to detect and eradicate malware and block attacks that by their nature also use any means possible to undermine Windows security.
"Sometimes when attackers are doing certain things, we turn to 'kernel patching'," McCorkendale says. "This runs afoul of the PatchGuard policy."
"There are legitimate reasons for protecting the kernel and we are not asking Microsoft to disable PatchGuard," McCorkendale says. But he said the security industry would benefit from added APIs for 64-bit Vista that would allow for documented ways to accomplish technical processes such as image-load filtering, memory-management filtering and named-object event filtering to name a few.
"We brought this to the attention of Microsoft 1½ years ago," McCorkendale says. PatchGuard is not a feature in the 32-bit version of Vista, however.
Microsoft says it hasn't seen direct evidence of Authentium's hack of PatchGuard yet. But a Microsoft spokesman said fooling around with PatchGuard presents a potential danger to users of 64-bit Vista, expected to be available for volume license in November.
"Microsoft strongly recommends that software vendors not attempt to bypass Kernal Patch Protection," the spokesman stated. "This has the potential for de-stabilizing and crashing customer systems, particularly in cases where Kernel Patch Protection is enhanced in updates and updates are delivered to customers." To do otherwise, is "putting customers at risk," Microsoft said.
Microsoft said if the PatchGuard mechanism requires a patch, it will be delivered much like another software patch.
Microsoft says it is committed to working with the security industry to identify APIs beyond what is available today that will work with Kernel Patch Protection. But that effort, which will take "several months," is not expected to reach fruition until Vista Service Pack 1, a formal software update, follows at some unspecified date after 64-bit Vista ships. Symantec thinks the timetable is likely to be a year at best.
Not all security vendors appear critical of PatchGuard.
In a statement, Sophos said, "We are building our technology by making use of supported Microsoft interfaces rather than trying to subvert them. That's why we're ready for 64-bit Vista but others aren't."