Sunbeltblog comments
I read that the Germans actually used the Maginot line against the Americans.
Jolly good show alex.
Microsoft needs to realize that security vendors like youself and others are a first line of defence against the evil doers out there.
This is a war against malware thus we need to bring all weapons to bear!
Can you imagine if you get a few million
copies of vista out there and then a serious zero day comes along.
Batten down the hatches!!
The security industry has had several such lessons, the Code Red Worm being one of them. A network-based worm that utilized a vulnerability in Microsoft’s IIS, it never hit the disk. Instead, it ran solely in memory. A system based on file-based protection would not have been able to stop it.
Is it entirely file-based? You can write filter drivers for 64-bit Windows to monitor TCP/IP as well and scan anything coming in through the network. I don't know if Sophos is doing this, but it certainly could be done.
Sorry to be a saddo.. but they went AROUND it because the Maginot line only went as far as the Belgian border.. so the Germans simply went through Belgium. Had the fortifications reached the coast then the would have been much more effective at preventing the German's land assault.. France fell primarily because of tank warfare backed up with air support.. not because the Germans could fly over the line.
The analogy still kinda works though. The Germans could see that a frontal assault on the fortifications would probably not work, so they simply bypassed the problem. In fact the issue went much deeper - the Germans worked out EXACTLY how the Allies would react to their invasion and lured them into a trap (the Germans waited for the Allies to advance into Belgium and then encircled them).
The Allied disposition was too inflexible, and their response to the initial invasion of the Low Countries was too predictable. Compare this with the security monoculture that Microsoft seems to be pushing.. if all security products work the same way then they are ALL vulnerable to the same attacks.
In other news, Security Vendor Bypasses Microsoft's Vista PatchGuard
See http://www.eweek.com/article2/
0,...,2036585,00.asp
Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsoft's next-generation Vista operating system.
Interesting article on Authetium. Also the Yankke Group's Andrew Jaquith's interesting take on Patchguard and the security industry's reasons for the fuss...
But, I wonder how much of MS's posturing about patchguard and its insistence that API's are "the only way" has to do with the perception that Windows in any form isn't as secure as Linux and MacOS?
In the end, though, the security industry and MS will have to learn to work with one another - and the sooner that happens the better.
Hi Alex, don't you think the benefit of locking malware out of the kernel has benefits that cannot be ignored?
As to your part about the same lock on every door, that is how the internet is TODAY. Everyone uses windows, and a new exploit (such as .wmf) affects everyone until Microsoft patches it. So long as microsoft quickly and effectively patches and bypassing to the kernel, then where is the problem?
Once again, I ask you to read my writeup:
http://spyware-free.us/2006/10/
p...patchguard.html
wng
I am ex. McAfee but now have no connnection with the company. This post really is for the benefit of wng_z3r0 as i've just taken a look at his blog and feel he really is missing the point. In early 2004 McAfee put some HIPS technology into the virus scan 8.01 product, this was as a response to the bad guys using application and operating system vulnerabilities to attack customers. Microsoft at this point was just getting around to regular patching, still today Microsoft's only solution is to ask customers to continually patch their machines. The problem is that most customers can't simply patch everything they are told to for reasons primarily to do with change control - if anyone needs reminding of that go look up 06-013 which broke Siebel web client and others. So the only alternative customers HAD to patching was to shield the vulnerabilitites - and many use HIPS to this day to do so. The problem is however now Microsoft has effectively put a stop to shielding 64 bit windows what alternative do customers have? Buy more Microsoft security products that can protect them? No because MS don't have anything that can shield vulnerabiltities in the way that a Host IPS product can. So we have this crazy situation where the solution exists to some major problems but MS won't allow it to be used - this is why in my non-McAfee opinion MS have dragged their customers backwards. Thanks
Dave, very interesting. Thanks for the input.
Why do you need kernel access to monitor process creation? I would assume that there have long been API's to call the process list?
I bring up processes because when I think of HIPS, I usually focus on the ability to block bad processes and dll hooking.
What other HIPS tools require kernel access? Neworking perhaps?
how odd... normally when i see traffic where the referrer url indicates a websearch on someone's name i assume it was that person (egosurfing)... but i suspect that anonymous is the person in this case...
what a strange way to draw attention to the fact that i thought alex made an excellent post...
Commenting by HaloScan
