Hi malware fighters,
Unlike Symantec, McAfee and others who have demanded that Microsoft allow them to access the kernel, and who claim that the Redmond, Wash.-based software giant is blocking them from doing so to advance its own interests in the security software arena, Authentium officials said they have merely circumvented the feature.
What to think of this article?
http://www.eweek.com/article2/0,1895,2036585,00.asp
How long before malware learns this trick (these tricks)?
polonus
More comment from Alex Eckelberry here:
http://sunbeltblog.blogspot.com/2006/10/will-patchguard-be-maginot-line-of.html
Frank what does this article have to do with the information polonus posted?
Alex Eckelberry is writing about the same subject, and even mentions the approach Authentium have taken.
Correction: he quotes from Agnitum in the blog entry I quoted:
Why is it so risky to use KPP [PatchGuard] to provide kernel security for computers running Vista x64 rather than a third-party security solution?Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.
Alex Eckelberry has now picked up on the Authentium story here:
The second post, isn’t the same link is it ??? ;D
Nice. I have Authentium’s Command Antivirus as a backup scanner (On access scanner is disabled)
Hi malware fighters,
Now it is not so nice, because MS is not amused about what this av-vendor did, and will patch every hack of their PatchGuard. So owners of such an av-solution might actually be at a disadvantage.
Look here: http://www.eweek.com/article2/0,1895,2037052,00.asp
So we see that MS wants to decide whats gonna run at kernel level, and off course content managment will be part of the deal later.
Hackers have already broken PatchGuard and can disable it. This means that hackers can already get malicious code into the Windows Vista kernel; while legitimate security vendors can no longer protect it. This presents a serious new risk for consumers and enterprises worldwide,” stated Oliver Friedrichs director of emerging technologies in Symantec Security Respons.
With this, Symantec is aiming to no less than discredit PatchGuard in the eyes of the consumers. In this regard, the two brands are weight in the public perspective. When put in the balance, which of Microsoft and Symantec is synonymous with security? Undoubtedly, the latter, who is leader of an industry build on offering security solutions designed for safeguarding Microsoft’s products. By delivering a below the belt blow with the PatchGuard Hacking claim, Symantec has chosen to do its laundries with Microsoft in public.
“In addition, now, you may ask yourself, if hackers can bypass PatchGuard, why don’t security vendors? (We know now one did it actually.) We certainly could, if we chose to; however, Microsoft has firmly stated that any attempt to do so will result in an update to PatchGuard, which will detect these attempts. It would be foolish for Symantec to ship a product out to over 200 million desktops that may result in a BSOD on each desktop, if Microsoft decides to update PatchGuard,” commented Friedrichs.
Microsoft chose to use the only weapons readily available to them: obfuscation and misdirection.
PatchGuard isnt new, and here is a article on bypassing PatchGuard: http://uninformed.org/index.cgi?v=3&a=3
polonus