The problems MacAfee and Symantic see regarding PatchGuard they have largely brought upon themselves, Sophos is ready and reports about the situation here:
avast! users rejoice !!! We aren’t effected. I believe I’ve asked McAfee and Symantec in a few threads
to stop belly aching and find their own solution without trying to break into the Vista operating system.
Sophos believes that PatchGuard is a positive step by Microsoft to improve security in Windows Vista, and is not in itself anti-competitive, provided that Microsoft delivers on its commitment to provide the same level of kernel support and integration to third party security vendors as it does to its own security product team.
The Sophos approach seems to be based on a heuristic analysis of malware to block hacks on the Windows kernel.
Nothing is preventing an AV from running virus scans or heuristic analysis outside the kernel, so what Symantec, McAfee, Sunblet and Zone Alarm have asked for is something different.
Whether or not they are right in claiming they need access to the kernel to do their job is something perhaps time will tell. If we see rootkits infecting the Windows kernel which no AV can touch because they are locked out, perhaps they will have been proved right.
My own suspicion is that hackers will find a way in:
Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, demonstrated the hack at Black Hat in August. She showed that it was possible to bypass security measures in 64-bit versions of Vista meant to prevent unsigned driver code from running. The bypass could allow the installation of malicious drivers--a serious threat, because they run at a low level in the operating system.
This is good news, but it might hold some problems. Microsoft appears to have thwarted the attack by blocking write-access to raw disk sectors for applications that run in user-mode, even if they are executed with elevated administrative rights, Rutkowska wrote. "Which is a bad idea," she wrote.
Microsoft’s way of blocking the attack can cause compatibility trouble for programs such as disk editors and recovery tools, Rutkowska wrote. Such applications now will need their own, signed kernel-level driver to function, she wrote.
Moreover, Microsoft’s way of blocking the attack is not a real solution to the problem, Rutkowska argued. An attacker could hijack a legitimate driver and still do evil, she said. “There is nothing which could stop an attacker from borrowing such a signed driver and using it to perform the…attack,” she wrote.
Frankly, I have no idea why people are starting to complain about PatchGuard NOW. I mean, it has been around for some 2 years (in XP 64-bit) and no one really complained so far AFAIK…
Overall, I find PatchGuard quite a useful feature (although it’s true it makes security product developer’s lives a bit harder. C’est la vie I guess! :))