Sunbeltblog comments

This was a very useful posting. I have always wondered how Symantec software could cause such grief - and now I know. They admit to patching the operating system.

I laughed at Trollope's statement "We of course cannot pursue a path when Microsoft tells us that they will bluescreen our customers machines.".

The strategy at Symantec is clearly that if anybody is going to bluescreen customers' computers, it is going to be them!

In my opinion you gain nothing by installing the Symantec bloatware except the chance of spending an hour on a 1-900 number to somebody who speaks English as a third language to try to find out why having installed NAV200X your computer will no longer boot!
Richard | 10.17.06 - 1:42 pm | #

Richard -- regardless of how you feel about Symantec software, the issue still remains that you can't implement tighter security (such as HIPS) without access to the kernel.
Alex Eckelberry | 10.17.06 - 3:47 pm | #

Gravatar I find it ironic that Symantec places so much blame on Microsoft blocking access while at the same time they recommend users remove other applications like our WinPatrol.

I invite Mr. Trollope to contact me and explain why NAV2007 claims we're not compatible.

See http://billpstudios.blogspot.com...tion- error.html
Bill Pytlovany | Homepage | 10.17.06 - 7:13 pm | #

Gravatar Next step probably would be to demand Windows source code to be available to certain security companies who've been in that business for a long time and earned exceptional reputation in that field.
None | 10.17.06 - 7:46 pm | #

Gravatar We just don't believe Symantec. Every time Microsoft is getting ready to release a new version of Windows, Symantec has always cried foul. Could it not be true that PatchGuard represents a new paradigm that security companies need to step up & think "outside the box"? This ain't your grandmother's Windows!
glenn | 10.18.06 - 12:48 am | #

Gravatar You simply can't do things like host intrusion prevention with access to the kernel. We have this problem with our Kerio firewall as well. It's not just relegated to Symantec.
Alex Eckelberry | 10.18.06 - 8:58 am | #

Gravatar If the Vista kernel is not accessible and so the malware can't access to it and the Vista is so hardenized (UAC, isolated sessions, services hardening, etc.), why Sunbelt, Mcafee and Norton need to use the kernel patching techniques ? from what purpose you use kernel patching if the new Vista OS is a lot hardenized?
I think Microsoft should not open the kernel.
Luc | 10.18.06 - 10:47 am | #

Gravatar I'm, quite amazed by the responses here. The problem with the kernel being protected in this manner is...take a guess?

What happens if/when malware finds a way around it? If the white papers that are being referenced are correct (I haven't had time to read them myself) then PatchGuard is already behind the protection curve...

I agree with the CONCEPT of what Microsoft is trying to do here. Closing out the kernel is a sound idea...real world practice may make this idea more akin to a death trap for systems that run Vista.

As an example...correct me if I'm wrong Alex (and I apologize that this will not be nearly as technical as others could/would make it).

Symantec, Counterspy, etc... patch to the kernel. This has been done to prevent malware from patching ITSELF to the kernel and disabling your protection software. Now, if PatchGuard locks the kernel and malware works around PatchGuard (who has faith here that it won't happen...?) all security software can be disabled and users have no recourse to remove it or defend against it.
aquias | 10.18.06 - 2:05 pm | #

Gravatar Aquias is right -- it's an issue with being able to protect the kernel.

However, for HIPS, it's simply a method of being able to work at all. It's not even about protecting the kernel, it's about protecting the machine.

I hope to blog more when I have some more time, just been in a flurry of work here.
Alex Eckelberry | 10.18.06 - 4:15 pm | #

Gravatar Alex, I disagree.
I blogged here:
http://spyware-free.us/2006/10/ p...patchguard.html

Would you care to respond to my post?

wng
wng_z3r0 | Homepage | 10.18.06 - 10:23 pm | #

Gravatar Sophos: No need to Bypass PatchGuard21:
"I would say that the opposite is really true: that by not focusing on having Microsoft provide us with the means to access the kernel, and in fact using the APIs that have [already] been provided by Microsoft, we are not experiencing any problems with PatchGuard for our latest HIPS technology, Sophos Anti-Virus, or any of the other aspects of our security offering for either 32-bit or 64-bit versions of Windows Vista"
david | 10.22.06 - 3:16 am | #

Name:

Email:

URL:

Comment:  ? 

 

Commenting by HaloScan